Attacker Value
Moderate
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-12256 - VxWorks IPv4 Options Buffer Overflow

Disclosure Date: August 09, 2019
CVE-2019-12256 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 component. There is an IPNET security vulnerability: Stack overflow in the parsing of IPv4 packets’ IP options.

Add Assessment

3
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Difficult to weaponize
Technical Analysis

Capability problems with exploitation: an attacker needs a payload to do something other than a DoS. Shellcode for embedded OSes like this needs to be customized for each firmware version and device, which causes problems. This significantly increases the cost for an attacker to do something other than a DoS since it has to be customized to the target. High utility for an advanced actor who has the capability to develop custom payloads and a particular target in mind. Low utility for a low-skilled actor who wants to ‘spray and pray’.

Mitigations: folks should limit opportunities by having strong malformed-packet filtering at the network level. Routers and switches should not be based on VxWorks at the edge.

https://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-SLIDES.pdf

Another interesting issue with this vulnerability lies around getting the malformed packets from the edge of a network into the core of the target device. Each device needs independent analysis to determine the risk. An edge device would be riskier than a core, one. In this particular case, it’s really surprising however that VxWorks did not just isic, which has been around for years and years to find a vulnerability like this: http://isic.sourceforge.net/

Note: when validating the Urgent/11 scanner here: https://github.com/ArmisSecurity/urgent11-detector we found that it was unlikely to be effective across even a minimal security boundary of a standard router between network segments. We had a hard time testing it since the malformed packets were discarded by several commodity and not specially-configured kit.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
exploit
Utility Class
rce
Ports
Unknown
OS
VxWorks
Vulnerable Versions
>=6.94
Prerequisites
Unknown
Discovered By
Armis
Dor Zusman
Ben Seri
Gregory Vishnepolsky
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • belden,
  • netapp,
  • siemens,
  • sonicwall,
  • windriver

Products

  • e-series santricity os controller,
  • garrettcom magnum dx940e firmware,
  • hirschmann hios,
  • power meter 9410 firmware,
  • power meter 9810 firmware,
  • ruggedcom win7000 firmware,
  • ruggedcom win7018 firmware,
  • ruggedcom win7025 firmware,
  • ruggedcom win7200 firmware,
  • siprotec 5 firmware,
  • sonicos,
  • sonicos 6.2.7.0,
  • sonicos 6.2.7.1,
  • sonicos 6.2.7.7,
  • vxworks

Additional Info

Authenticated
Never
Exploitable
Always
Reliability
Strong
Stability
Unknown
Available Mitigations
Very Weak
Shelf Life
Medium
Userbase/Installbase
Large
Patch Effectiveness
Very High
Technical Analysis