URGENT/11: VxWorks RTOS 11 0 day vulnerabilities affect 20 million device-bug warning-the black bar safety net

Armis Labs security researchers recently in the currently most widely used embedded devices in real timeoperating system real-time operating systems, RTOS）VxWorks found 11 a 0 day vulnerability, theoperating systemis widely used in aerospace, defense, industrial, medical, electronic, network, and other key industry, is expected to affect more than 20 million devices.
! [](/Article/UploadPic/2019-8/20198519746379. png)
Armis Labs security researchers in the currently most widely used embedded devices in real timeoperating system real-time operating systems, RTOS）VxWorks TCP/IP stack found in the 11 a 0 day vulnerability, called the URGENT/11, the effects v 6.5 and later, and even affect the 13 years before the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm&gt; a).
URGENT/11
In URGENT/11 vulnerabilities, 6 of these vulnerabilities are classified as critical RCE vulnerability, the rest including DOS, information disclosure, and logical vulnerabilities. URGENT/11 is very serious, because the attacker can in the absence of user interaction the case of the takeover of the device, and can even bypass firewalls and other security devices. These features make these vulnerabilities can be like a worm-like propagation to the other network.
6 a remote code execution vulnerability:
CVE-2019-12256: IPv4 options analysis stack overflow vulnerability
The vulnerability can be through a carefully forged to the target device, the IP packet is triggered. Not required on the device running the particular application or configuration, affect all running VxWorks v6. 9. 4 and after version of the device. The vulnerability is in the processing of the IPv4 header the IP option is thrown when a stack overflow, eventually leading to RCE.
Derived from the TCP Urgent Pointer field processing error led 4 memory corruption vulnerability (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263)
These vulnerabilities are because of the TCP Urgent Pointer field processing error caused by the domain in the current application is rarely used. The attacker can be through a direct connection to the target device open TCP port or hijacked from the target device a TCP connection to trigger on the domain of error handling. Vulnerability after the trigger will cause the target device to the application on the receiving than the original from the recv()function the bytes more, resulting in the stack, the heap, the original data section variables of the memory damage. That is the attacker can detect the target device of the different TCP connections, the attack most easy to use application.
CVE-2019-12257: the ipdhcpc analysis process in the DHCP Offer/ACK heap overflow vulnerability
The vulnerability is the vulnerability of the equipment to analyze bogus DHCP response packet to trigger the heap overflow vulnerability. These packages are by the VxWorks built-in DHCP client ipdhcpc analysis. The attacker can locate the target device where the subnet, wait for The sends a DHCP request, and with a forged DHCP response response. Wait for a response from the DHCP server response to target device will easily be the attacker to cheat, and the analysis of a forged DHCP response message. This will result in attacker-controlled data heap overflow and lead to remote code execution.
5 will lead to DOS, information disclosure, or a particular logical vulnerabilities vulnerabilities:
CVE-2019-12258: by forged TCP option to initiate a TCP connection DoS attack
The vulnerability can be sent containing a specific TCP option to the conventional connection 4-tuple team forged TCP packets to trigger the vulnerability, but don’t know the connection of the serial number, causing the TCP connection is discarded.
CVE-2019-12262: processing unsolicited reverse ARP reply logic vulnerability
This is a VxWorks versions 6.5 and above versions of the logic error, an attacker exploiting the vulnerability can be in the same subnet through unsolicited RARP reply packet to add multiple IPv4 addresses to the target device. This will destroy the target device in the routing table, causing the TCP/IP applications for DoS. Repeatedly triggering the vulnerability will lead to memory exhaustion, resulting in the target device on the additional execution failed.
CVE-2019-12264: the ipdhcpc DHCP client IPv4 allocation logic errors
The vulnerability is the VxWorks built-in DHCP client ipdhcpc one of the logical errors. A vulnerable device will accept the DHCP server assigned to its IPv4 address, even if the address is not a valid unicast address. With the previously mentioned RARP vulnerability similar to the same subnet of the attacker will be forced assigned to the target device invalid IPv4 address, this will cause errors in the routing table, the destruction of the target device’s network connection. In addition, by assigning to the target device multicast IP address on the device IGMP-related vulnerabilities of the door.
CVE-2019-12259: IGMP analysis of a null reference DoS attack
From the local subnet, an attacker could exploit the vulnerability by sending a non-authentication of the packets cause the target device Ben collapse. To trigger the vulnerability, an attacker would first have to pass a forged DHCP response packet to the target device is assigned a multicast address. Then send IGMPv3 membership request packet to the target device, cause the network stack to the hollow reference to the actuator of the target device Ben collapse.
CVE-2019-12265: via IGMPv3 specific membership report leaked IGMP information
By CVE-2019-12264 vulnerability can be a DHCP client vulnerability to the target device the network interface is assigned a multicast address. To trigger the vulnerability, an attacker can send IGMPv3 membership query report to a target device. This will cause the target package stack information disclosure and through an IGMPv3 membership report is sent back to the attacker.
Attack scenarios
The researchers according to the URGENT/11 the vulnerability of the attack surface the attack scenarios grouped into 3 classes, namely:
Scene 1: attack the network defense measures
Because the switches, routers, firewalls, such as network and security devices are also installed VxWorks system, so that remote attacker can be to these networked devices to attacks, by controlling these devices to achieve the equipment connected to the network to initiate the attack.
! [](/Article/UploadPic/2019-8/20198519747761. png)
For example, there are currently 775,000 to run the VxWorks RTOS SonicWall firewall device connected to the Internet.
! [](/Article/UploadPic/2019-8/20198519747365. png)
Scenario 2: the network from external attacks
In addition to the attack Internet devices, the attacker will try to attack non-directly connected with the Internet but with cloud-based applications to communicate with the IoT device. For example, the Xerox printer. The printer is not connected directly to the Internet, have a firewall and a NAT device to protect it, the printer through which the security device is connected to the cloud applications. The attacker can intercept the printer with the cloud application’s TCP connection to the printer on the trigger URGENT/11 RCE vulnerability, and the printer complete control. In order to intercept TCP connections, the attacker can use DNSpionage malware such technology to attack the DNS server and initiate a middleman attack. Once the attacker controls the network devices, you can further control the network of other VxWorks devices.

[1] [2] next