Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.
- Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
- Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.
- CVE-2019-12255: TCP Urgent pointer zero RCE vulnerability (IPTCP version r6_0_0 and later)
- CVE-2019-12264: DHCP client (ipdhcpc) IPv4 assignment logical flaw (IPAPPL version r1_2_0 and later)
- CVE-2019-12258: TCP connection DoS via malformed TCP options (version not specified)
- CVE-2019-12259: DoS via NULL dereference in IGMP parsing (version not specified)
- CVE-2019-12262: Reverse ARP logical flaw
Armis discovered during testing the following RTOS are potentially affected:
- ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from 2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.
- Green Hills Software reports Interpeak IPnet was a third-party add-on for INTREGRITY RTOS from 2003-2006.
- We have not implemented IPNet in our ThreadX releases, and these vulnerabilities do not impact our code base.
- Contrary to other reports, no version of ThreadX either pre- or post-acquisition has included IPNet, the affected software.
- ThreadX customers that have licenses and are also using IPNet should contact Wind River for the appropriate patches.
- Wind River does not support Interpeak software used in ThreadX or any other RTOS vendor products.
- TRON Forum reports they only publish the specification for ITRON RTOS. Various implementations are used by many users world-wide and are created by various implementors (some commercial, and some academic and some government) according the specification document.
- TRON Forum, the caretaker of the ITRON specification, has not endorsed the use of any particular TCP/IP stack including one from Interpeak.
- The choice of TCP/IP stack is up to the RTOS vendor and application developers, and thus each application user needs to check whether TCP/IP stack developed by Interpeak is used inside their application.
- TRON Forum will send out a preliminary warning to members by mailing list to notify implementors of the reported vulnerabilities.
- Contact your RTOS editor and ask him if he integrated IPNET or IPLITE IP stacks in his RTOS.
- Scan your networks with Armis security tool URGENT11 DETECTOR
- See below the part named DETECTION
NOTA: References and security advisories parts have been updated too.
The Armis research team, Armis Labs, have discovered 11 zero day vulnerabilities in VxWorks®, the most widely used operating system you may never heard about. VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. Dubbed “URGENT/11” the vulnerabilities reside in VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5, and are a rare example of vulnerabilities found to affect the operating system over the last 13 years. Armis has worked closely with Wind River®, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.
Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE). The 5 remaining vulnerabilities are classified as denial of service, information leaks or logical flaws.
- Security Research - White Paper
- BlackHat 2019 Presentation Slides
- BLOGPOST - URGENT/11 Risk Assessment To Help Enterprises Identify Exposed and Impacted Devices
- BLOGPOST - URGENT/11 Presses Further, Affecting Additional RTOSs - Highlights Risks on Medical Devices
CVE | CVSSv3 Score | Description |
---|---|---|
CVE-2019-12256 | 9.8 | Stack overflow in the parsing of IPv4 packets’ IP options |
CVE-2019-12257 | 8.8 | Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc |
CVE-2019-12255 | 9.8 | TCP Urgent Pointer = 0 leads to integer underflow |
CVE-2019-12260 | 9.8 | TCP Urgent Pointer state confusion caused by malformed TCP AO option |
CVE-2019-12261 | 8.8 | TCP Urgent Pointer state confusion during connect() to a remote host |
CVE-2019-12263 | 8.1 | TCP Urgent Pointer state confusion due to race condition |
CVE-2019-12258 | 7.5 | DoS of TCP connection via malformed TCP options |
CVE-2019-12259 | 6.3 | DoS via NULL dereference in IGMP parsing |
CVE-2019-12262 | 7.1 | Handling of unsolicited Reverse ARP replies (Logical Flaw) |
CVE-2019-12264 | 7.1 | Logical flaw in IPv4 assignment by the ipdhcpc DHCP client |
CVE-2019-12265 | 5.4 | IGMP Information leak via IGMPv3 specific membership report |
- CVE-2019-12255: DoS Exploit published & verified
- CVE-2019-12258: DoS Exploit published & verified
- CISA ICS Advisory
- CISA ICS Advisory
- CISA ICSM Advisory
- FDA Advisory
- CCCS Security Advisory
- AUSCERT Security Advisory
- CSIRT GOB CL
- CERT-FR
- CERT-SE
- CNNVD-201907-1490
- https://new.abb.com/news/detail/28733/cyber-security-notification
- http://search.abb.com/library/Download.aspx?DocumentID=8VZZ001892T0001&LanguageCode=en&DocumentPartId=&Action=Launch
- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A6671&LanguageCode=en&DocumentPartId=&Action=Launch
- http://search.abb.com/library/Download.aspx?DocumentID=2GHV057194&LanguageCode=en&DocumentPartId=&Action=Launch
- https://search.abb.com/library/Download.aspx?DocumentID=SI20192&LanguageCode=en&DocumentPartId=&Action=Launch
- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A8838&LanguageCode=en&DocumentPartId=&Action=Launch
- https://search.abb.com/library/Download.aspx?DocumentID=2PAA120481&LanguageCode=en&DocumentPartId=&Action=Launch
- https://www.br-automation.com/de/service/cyber-security/
- Look for "Cyber Security Advisory 01/2019"
- Support answer: Our products aren't affected, we don't have devices built on VxWorks. (Thanks to L. HSU.)
- https://extremeportal.force.com/ExtrArticleDetail?n=000040646
- https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2019-002
- https://www.gehealthcare.com/security
- Look for "VxWorks TCP/IP Stack (IPnet) Vulnerabilities"
- No security advisory yet but a list of their products using VxWorks:
- http://www.ni.com/product-documentation/53636/en/
- https://www.usa.philips.com/healthcare/about/customer-support/product-security
- Look for "VxWorks Urgent/11 Advisory (1 August 2019)"
- https://diagnostics.roche.com/global/en/legal/product-security-advisory.html
- looks for "URGENT/11 - Multiple vulnerabilities in VxWorks (27 September 2019)"
- https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf
- https://www.sprecher-automation.com/en/it-security/
- Look for "Urgent 11 in Wind River VxWorks"
- https://www.terumobct.com/support/product-security
- Looks for "Wind River TCP/IP Stack Security Update"
- support answer : " Our VxWorks version is not impacted."
- https://support.woodward.com/en/kb/articles/preliminary-notice-woodward-security-bulletin-01661-urgent-11
- https://support.woodward.com/file.php/1529CZSDRTZZZX1528120139B43/01661-.pdf
- https://security.business.xerox.com/en-us/news/wind-river-vxworks-ipnet-tcp-ip-stack-vulnerabilities/
- https://security.business.xerox.com/wp-content/uploads/2019/09/cert_Security_Mini_Bulletin_XRX19U_for_WorkCentre3335-3345.pdf
- https://fortiguard.com/encyclopedia/ips/48263/wind-river-vxworks-large-dhcp-packet-handling-heap-overflow
- https://fortiguard.com/encyclopedia/ips/48250/wind-river-vxworks-ao-option-urgent-pointer-integer-underflow
- https://fortiguard.com/encyclopedia/ips/48249/wind-river-vxworks-zero-urgent-pointer-integer-underflow
- https://fortiguard.com/encyclopedia/ips/48248/wind-river-vxworks-ip-option-handling-stack-overflow
1 : OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability
alert tcp any any -> any any (flags:U+; msg:”OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000002;)
2 : OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability
alert tcp any any -> any any (flags:SUF+; msg:”OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000001;)
alert ip any any -> any any (ipopts:lsrr; msg:”OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000003;)
alert ip any any -> any any (ipopts:ssrr; msg:”OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000004;)
- 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
- Available in 2019-08-20 12:01:10 UTC / Snort Subscriber Rules Update / Sourcefire VRT Certified rule pack Snort version 2091401.
- 127108 Wind River VxWorks Multiple Vulnerabilities (URGENT/11) Nessus Misc. 2019/07/29 2019/08/05 CRITICAL
- 127109 Xerox WorkCentre Multiple Vulnerabilities (XRX19-016) (URGENT/11) Nessus Misc. 2019/07/29 2019/08/05 CRITICAL
- 127107 SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11) Nessus Firewalls 2019/07/29 2019/08/05 CRITICAL
- https://fr.tenable.com/blog/critical-vulnerabilities-dubbed-urgent11-place-devices-running-vxworks-at-risk-of-rce-attacks
- QID 13534 Wind River VxWorks Multiple Security Vulnerabilities(URGENT 11) 2019/08/02
- https://discussions.qualys.com/docs/DOC-6835-dashboard-toolbox-query-for-urgent11
Hi Peter,
Thanks for the information, already updated!