Technical Overview – What is URGENT/11?
A detailed technical report regarding all vulnerabilities can be found in the technical white paper (click here).
URGENT/11 is a set of 11 vulnerabilities found to affect VxWorks’ TCP/IP stack (IPnet), used by the versions of VxWorks as described above. Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE). The remaining vulnerabilities are classified as denial of service, information leaks or logical flaws. As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions. As a group, URGENT/11 affects the VxWorks’ versions described above with at least one RCE vulnerability affecting each version. The wide range of affected versions spanning over the last 13 years is a rare occurrence in the cyber arena and is the result of VxWorks’ relative obscurity in the research community. This timespan might be even longer, as according to Wind River, three of the vulnerabilities were already existent in IPnet when it acquired the stack from Interpeak in 2006.
URGENT/11 are the most severe vulnerabilities found in VxWorks to date, which has suffered from only 13 public CVEs in its 32-year history. URGENT/11 is a unique group of vulnerabilities that allow attackers to circumvent NAT and firewalls and take control over devices remotely via the TCP/IP stack undetected, with no user interaction required. This is due to the vulnerabilities’ low level position inside the TCP/IP stack, which enables attacks to be viewed as legitimate network activity. Such vulnerabilities do not require any adaptations for the various devices using the network stack, making them exceptionally easy to spread. In most operating systems, such fundamental vulnerabilities in the crucial networking stacks have become extinct, after years of scrutiny unravelled and mitigated such flaws.
As mentioned earlier, URGENT/11 is comprised of 11 vulnerabilities, separated to two classes of severity:
Six Critical vulnerabilities, allowing remote-code-execution:
Stack overflow in the parsing of IPv4 options (CVE-2019-12256)
This vulnerability can be triggered by a specially crafted IP packet sent to the target device, even as a broadcast or multicast packet. It does not require any specific application or configuration to be running on the device, and it affects any device running VxWorks v6.9.4 or above with a network connection. The vulnerability causes a stack overflow in the handling of IP options in the IPv4 header, making it easy to reach RCE by it.
Four memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263)
The following vulnerabilities all stem from erroneous handling of TCP’s Urgent Pointer field. This is an esoteric TCP field that is rarely used in modern applications. An attacker can trigger the erroneous handling of this field by either directly connecting to an open TCP port on the target device, or by hijacking an outbound TCP connection originating from the target device. Once triggered, these vulnerabilities will cause the application on the target device to receive more bytes than expected from the system’s recv() function, leading to a memory corruption of either the stack, the heap, or of global data section variables — depending on which buffer was passed to the recv() function. This means an attacker can probe the various TCP connections of the target device (either inbound or outbound) and attack the application that is the easiest to exploit.
Since the Urgent Pointer field is a built-in feature of TCP, routers, NATs and even firewalls that stand between the target device and the attacker are likely to transfer it intact. This means that even a TCP connection that travels from a vulnerable device to the Internet through multiple routers, NAT and firewall devices can still be hijacked by an attacker on the Internet and used to trigger the vulnerability. This can enable an attacker to not only take over vulnerable devices that are otherwise secured within internal networks, but also penetrate these networks via this path.
The four variants of this type of attack affecting different VxWorks versions:
- TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255) affects VxWorks versions 6.5 to 6.9.3.
- TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260) affects VxWorks versions 6.9.4 and above.
- TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263) affects VxWorks versions 6.6 and above.
- TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261) affect VxWorks versions 6.7 and above.
Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)
This vulnerability is a heap overflow vulnerability triggered when a vulnerable device parses a specially crafted DHCP response packets. These packets are parsed by ipdhcpc, VxWorks’ built-in DHCP client, when it attempts to acquire an IP address from a DHCP server. An attacker located in the same subnet as the target device can wait for it to send a DHCP request, and reply quickly with the specially crafted DHCP response. In this scenario the target device waiting for a response from the original DHCP server of the network will be easily fooled by the attacker, and parse the crafted DHCP response message. This would lead to a heap overflow with attacker controlled data that can result in remote-code-execution. This vulnerability affects VxWorks versions from 6.5 to 6.9.3.
Five Vulnerabilities leading to denial of service, information leak or certain logical flaws:
TCP connection DoS via malformed TCP options (CVE-2019-12258)
This vulnerability affects VxWorks versions 6.5 and above, and allows denial-of-service attacks on any TCP connection to or from affected VxWorks devices. The vulnerability can be triggered by sending a specially crafted TCP packet containing certain TCP options with the 4-tuple of an existing connection, but without knowing the sequence numbers of that connection, causing the TCP connection to drop.
Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
This vulnerability is a logical error that affects VxWorks versions 6.5 and above, and can allow an attacker on the same subnet to add multiple IPv4 addresses to a target device via unsolicited RARP reply packets. This will disrupt the routing tables of the targeted device and can lead to DoS of any TCP/IP application used by it. Triggering this vulnerability multiple times can also cause memory exhaustion, leading to additional execution failures on the target device.
Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
This vulnerability is a logical error in VxWorks’ builtin DHCP client, if included, (ipdhcpc) that affects VxWorks versions 6.5 and above. A vulnerable device will accept any IPv4 address assigned to it by a DHCP server, even if this address is a non-valid unicast address (multicast, broadcast, or other illegal addresses). Similar to the RARP vulnerability mentioned above, an attacker in the same subnet can force the assignment of non-valid IP addresses to target device, which will lead to erroneous routing tables and will disrupt the network connectivity of the target device. In addition, assigning a multicast IP address to target device will also open up the device to the IGMP-related vulnerabilities described below.
DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
This vulnerability is a denial-of-service vulnerability that affects VxWorks versions 6.5 and above, and can lead to a crash of a target device via an unauthenticated packet sent from an attacker within the local subnet. To trigger this vulnerability an attacker will first force an assignment of a multicast address on a target device via a specially crafted DHCP response packet. Then, he can send an IGMPv3 membership query packet to the target device, leading to a NULL dereference in the network stack and crashing the target device.
IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
This vulnerability is an information leak that affects VxWorks versions 6.9.3 and above. A device will be affected by this vulnerability if it has a multicast address assigned to its network interface, which can be achieved through DHCP client vulnerability described above (CVE-2019-12264). To trigger this vulnerability an attacker can send an IGMPv3 membership query report that is fragmented over multiple IP fragments to the target device. This would lead to an information leak of the target’s packet heap via an IGMPv3 membership report that will be sent back to the attacker.