RTOS VxWorks multiple high-risk vulnerability alerts-a vulnerability alert-the black bar safety net

Armis researchers in the VxWorks discovered 11 zero-day vulnerabilities, VxWorks is a popular real timeoperating system（RTOS）, is more than 20 million devices in use, including industrial, medical and business equipment and other mission-critical equipment. These vulnerabilities are referred to as’URGENT / 11’, present in the IPnet, the VxWorks TCP / IP stack, the impact of the past 13 years of version, and is affecting theoperating systemthe vulnerability of the rare examples. In its 32-year history, the MITER only lists the 13 impact of the VxWorks CVE, which is not a URGENT / 11 as serious.
In recent years, the widespread use of the TCP/IP stack implementation of the vulnerability becomes extremely rare, especially those that can be on the target device to achieve remote code execution vulnerability. This type of vulnerability is the attacker’s Holy Grail, because they do not depend on the particular application, as long as the attacker is able to access through the network the target device. When in TCP implementations to find such vulnerabilities, they can even be used to bypass the firewall and NAT solution, because they are hidden in looks harmless TCP traffic.

0x01 vulnerability list
Found 11 vulnerability consists of 6 key vulnerability components that could lead to remote code execution:

1. CVE-2019-12256: in the parsing IPv4 packets IP options when the Stack Overflow
2. CVE-2019-12255: TCP urgent pointer to 0 causes an integer underflow
3. CVE-2019-12260 by: malformed TCP AO option causes TCP urgent pointer state of confusion
4. CVE-2019-12261: connection to the remote host when the TCP urgent pointer state of confusion
5. CVE-2019-12263: by competitive conditions result in the TCP urgent pointer state of confusion
6. CVE-2019-12257: on ipdhcpc in the DHCP Offer / ACK parsing leads to heap overflow
   And 5 A may lead to denial of Service and logic errors, or information leakage vulnerabilities:
7. CVE-2019-12258: by malformed TCP options TCP connection DoS attack
8. CVE-2019-12262: processing unsolicited reverse ARP reply logic vulnerability
9. CVE-2019-12264: the ipdhcpc the DHCP client is assigned an IPv4 logic flaws
10. CVE-2019-12259: IGMP parsing of NULL dereference leads to denial of Service
11. CVE-2019-12265: IGMP through IGMPv3 specific member of the report resulting in information leaks

0x02 exploit the scene
The first attack scenario impact reside at the network boundary of the VxWorks device, such as a firewall. These devices direct from Internet attacks, because they protect the internal network integrity depends on them. Use the URGENT / 11 vulnerability, an attacker may be for these devices to initiate a direct attack, its complete control, and then control them the protection of the network.
The second kind of attack the case will affect any of the affected with the external network connected to the VxWorks device. URGENT / 11 could allow an attacker to take over such equipment, whether at the network perimeter implementing any firewall or NAT solution to defend against the attack. Vulnerability of the lower nature so that the attack on the security measures to remain invisible, because they are considered benign network traffic.
The third attack scenario an attacker with the VxWorks devices in the same local area network, can broadcast his malicious packets to simultaneously attack all of the vulnerable devices.

0x03 reduce the likelihood of being attacked
Reducing the vulnerability of risk is not easy. With PC and mobile phones and other consumer devices use theOSis different, most embedded devices use the bottom of theoperating systemdoes not do regular updates. In order to reduce the vulnerabilities of the risk, you first need to determine which device is running VxWorks in.
In addition to it is difficult to identify which devices run VxWorks, the device manufacturers are also faced with within a reasonable time to provide a firmware upgrade of the challenges. Many VxWorks devices, such as medical and industrial equipment, the need to go through extensive testing and certification process, in order to provide the end-user firmware updates. In the provision of such updates, the user how to protect themselves?
Fortunately, for the vulnerabilities found some unique identifier, the firewall and IDS solutions can use them to detect and prevent these vulnerabilities of any use to try.
For example, the discovery of the four most critical vulnerability, CVE-2019-1255, CVE-2019-1260, CVE-2019-1261, CVE-2019-1263 use the TCP urgent flag to the abuse of the TCP urgent pointer mechanism. This mechanism for ordinary users rarely use, create a rule to detect and block it of any use, can effectively prevent the attack.
Want to detect and block attempts to exploit IP options vulnerability, CVE-2019-12256, you can search containing the LSRR or SSRR options, any IP data packet and discarded.

0x04 impact version
URGENT/11 vulnerability from 6. 5 version above all VxWorks versions.
VxWorks has provided patches update:
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/