VxWorks 6.9.x < 6.9.4.12 / 7 (SR540) / 7 (SR610) Multiple Vulnerabilities (URGENT/11)

The version of VxWorks installed on the remote host is 6.9.x, prior to 6.9.4.12, or 7 (SR540), or 7 (SR540), and is affected by multiple vulnerabilities :

• A specially crafted IPv4 packet, containing invalid encoded SSRR/LSRR options, may cause call-stack overflow. No specific services beyond IPv4 protocol support is required. (CVE-2019-12256)
• A specially crafted packet containing illegal TCP-options can result in the victim not just dropping the TCP-segment but also drop the TCP-session. (CVE-2019-12258)
• This vulnerability require that the TCP/IP-stack is assigned a multicast address the API intended for assigning unicast addresses or something with the same logical flaw is a prerequisite. (CVE-2019-12259)
• A series of specially crafted TCP-segments where the last step is a TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or ‘recvmsg()’ socket routines. (CVE-2019-12260)
• A specially crafted response to the connection attempt, where also the FIN- and URG-flags are set is sent as a response. This may put the victim into an inconsistent state, which make it possible to send yet another segment that trigger a buffer overflow. (CVE-2019-12261)
• The RARP reception handler verifies that the packet is well formed, but fails to verify that the node has an ongoing RARP-transaction matching the received packet. (CVE-2019-12262)
• A series of segments with and without the URG-flag set must arrive with a very specific timing while an application on the victim is receiving from the session. The victim must be using a SMP-kernel and two or more CPU-cores alternatively an uni-processor kernel where the receiving task and the network task executes at different priorities. (CVE-2019-12263)
• The VxWorks DHCP client fails to properly validate that the offered IP-address in a DHCP renewal or offer response contains a valid unicast address. An attacker may assign multicast or broadcast addresses to the victim. (CVE-2019-12264)
• An attacker can create specially crafted and fragmented IGMPv3 query report, which may result in the victim transmitting undefined buffer content. (CVE-2019-12265)