Date: 29 July 2019
This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Wind River VxWorks Platform is a real-time operating system widely used in ICS-related devices and deployed across several sectors, including Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems, and others.
Multiple vulnerabilities exist in the VxWorks default TCP/IP Stack (called IPnet). These vulnerabilities are present in all recent versions of non-certified VxWorks. Some of these vulnerabilities can lead to remote code execution, denial of service and information leaks.
The following vulnerabilities exist in the VxWorks TCP/IP Stack:
- CVE-2019-12255 - TCP Urgent Pointer = 0 leads to integer underflow.
- CVE-2019-12256 - Stack overflow in the parsing of IPv4 packets’ IP options.
- CVE-2019-12257 - Heap overflow in DHCP Offer/Ack parsing inside ipdhcpc.
- CVE-2019-12258 - DoS of TCP connection via malformed TCP options.
- CVE-2019-12259 - DoS via NULL dereference in IGMP parsing.
- CVE-2019-12260 - TCP Urgent Pointer state confusion caused by malformed TCP AO option.
- CVE-2019-12261 - TCP Urgent Pointer state confusion during connect() to a remote host.
- CVE-2019-12262 - Handling of unsolicited Reverse ARP replies (logic flaw).
- CVE-2019-12263 - TCP Urgent Pointer state confusion due to a race condition.
- CVE-2019-12264 - Logic flaw in IPv4 assignment by ipdhcpc DHCP client.
- CVE-2019-12265 - IGMP information leak via IGMPv3 specific membership report.
Devices using the following VxWorks versions that use the TCP/IP stack may be affected by one or more of these CVEs:
- All currently-supported versions of VxWorks (18.104.22.168, Vx7 SR540, Vx7 SR610).
- Previous versions of VxWorks from 6.5 onwards.
- All versions of the discontinued product Advanced Networking Technology (ANT).
- IPnet used as a standalone TCP/IP network stack (prior to 2006).
- The VxWorks bootrom network stack.
WindRiver VxWorks products not affected:
- VxWorks 5.3 through 6.4 inclusive.
- All VxWorks Cert versions.
- VxWorks 653 versions 2.x and earlier.
- VxWorks 653 MCE 3.x CertEdition and later.
- VxWorks 653 MCE 3.x may be affected.
- Wind River has released a new version of the VxWorks real-time operating system (VxWorks 7 SR620) which includes patched code to address these vulnerabilities. If possible, upgrade to the latest version of VxWorks.
- Effectively segment networks and implement demilitarized zones (DMZs) with properly configured firewalls to selectively control and monitor traffic passed between zones.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Please be aware that additional mitigations or patches may be released by ICS device manufacturers and vendors.
WindRiver Security Bulletin: https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
Armis Security Bulletin: https://armis.com/urgent11/
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.