Wind River VXWorks IPnet TCP/IP STACK Vulnerabilities

Name
Wind River VXWorks IPnet TCP/IP STACK Vulnerabilities
Tracking Number
2019-001
First Publish Date
29 Jul 2019
Date of Current Status
24 Apr 2020
Next Planned Update
N/A
Description
A number of vulnerabilities in Wind River’s VXWorks IPnet TCP/IP Stack implementation have been reported. These vulnerabilities could allow attackers to hijack existing TCP sessions to inject packets of their choosing or cause Denial of Service attacks.
What You Need To Know?
Security researchers reported multiple flaws in Wind River’s VXWorks IPnet TCP/IP Stack implementation that might allow an attacker to, among other things, hijack an existing TCP/IP connection, inject invalid TCP-segments, assign improper IP addresses or force transmittal of improperly formed data. This, in turn, can lead to man-in-the-middle, replay, and other network-based attacks.

 

Currently available information suggests potential for buffer/heap overflows, race conditions, and NULL-pointer dereferencing that cause system or applications to crash or network connectivity issues due to improper network packets being sent. Current information also suggests access to the local LAN segment would be necessary for exploitation.

The 11 CVEs that were reported for these flaws are CVE-2019-12255 through CVE-2019-12265. Exploitability scores are not yet available for these CVEs.

One of more of these 11 vulnerabilities may affect products with the following:

  • All versions of VxWorks under CURRENT support (6.9.4.11, Vx7 SR540, Vx7 SR610)
  • Older, End-of-Life versions of VxWorks back to 6.5
  • All versions of the discontinued product Advanced Networking Technology (ANT)
  • IPnet when sold as a standalone TCP/IP network stack
  • The VxWorks bootrom network stack

VXWorks 5.3 through 6.4 and all VXWorks Cert versions are NOT affected by these 11 vulnerabilities.

What is Xerox Doing About This?
Xerox is working closely with Wind River and we will continue to monitor the situation as more information is provided by Wind River and the security researchers who reported the vulnerabilities.
Impact
Most Xerox products are not impacted. The following Xerox devices are currently known to be impacted: Phaser 3260, Phaser 3300, Phaser 3320, Phaser 3330, Phaser 3600, Phaser 3635 MFP, Phaser 4600/4620/4622, WorkCentre 3025, WorkCentre 3210/3220, WorkCentre 3215/3225, WorkCentre 3315/3325, WorkCentre 3335/3345, WorkCentre 3550, WorkCentre 4250/4260, WorkCentre 4265, and Xerox B1022/B1025, Xerox Color C60/C70 Printer, Xerox Versant 80 Press, Xerox Versant 180 Press, Xerox Versant 2100 Press, and Xerox Versant 3100 Press.

 

Software releases are available for:

    • WorkCentre 3335/3345, WorkCentre 3215/3225, WorkCentre 4265, WorkCentre 6605, WorkCentre 3615, WorkCentre 3315/3325, WorkCentre 4250/4260, WorkCentre 3025BI, WorkCentre 3205NI, WorkCentre 3215/3225
    • Xerox B1022/B1025
    • Xerox Phaser 3635MFP, Xerox Phaser 4600/4620, Xerox Phaser 4622, Xerox Phaser 3330, Xerox Phaser 3320, Xerox Phaser 6600, Xerox Phaser 3610, Xerox Phaser 3020, Xerox Phaser 3052/3060
    • Xerox Color C60/C70
    • Xerox Versant 80 Press, Xerox Versant 180 Press, Xerox Versant 2100 Press, Xerox Versant 3100 Press.

Plans are underway to implement the patches created by Wind River to address the affected Xerox products. Software releases containing the fixes for these vulnerabilities will continue to be rolled out.

What Should You Do?
Wind River recommends that the following mitigations be performed for all products until patches become available:
  1. Make sure to place your devices behind an external firewall and add a rule to drop/block any TCP-segment where the “Urgent Data” flag URG-flag is
    set.
  2. If your VXWorks version has an internal firewall, make sure that it is also enabled and add the rule to drop/block any TCP-segment where the “Urgent Data” flag URG-flag is set adding the following rule: ‘block in quick proto tcp all flags U/U’.

Always consult your IT department as appropriate.

This notice will be updated as further information becomes available. Please visit the Xerox Security Web Site at https://www.xerox.com/Security for additional updates.