Wind River VxWorks SSH and Web Server and General Electric D20MX

Act Now9.8ICS-CERT ICSA-13-091-01Jan 3, 2013

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

VxWorks SSH and web server services contain improper input validation (CWE-20) that allows unauthenticated remote attackers to execute arbitrary commands. The vulnerability affects VxWorks versions 5.5 through 6.9. GE D20MX substation controllers running firmware versions 1.0 through 1.6.2 are affected; version 1.7 and newer are not vulnerable. An attacker can send specially crafted packets to the SSH daemon or web server to bypass authentication and gain full system control on affected devices.

What this means

What could happen

Attackers with network access could gain full control of affected VxWorks devices and GE D20MX substation controllers without any authentication, allowing them to alter critical power system parameters, disrupt operations, or cause physical damage to equipment.

Who's at risk

Energy sector operators responsible for substation automation and power generation control systems. Specifically affects any facility running GE D20MX substation controllers (versions 1.0–1.6.2) or industrial devices and embedded systems running Wind River VxWorks kernel (versions 5.5–6.9). This includes power utilities, substations, and critical infrastructure that rely on these platforms for SCADA and protective relay control.

How it could be exploited

An attacker reaches the SSH or web server port on a vulnerable device from the network (port 22 for SSH or port 80/443 for web), sends a malformed input message that bypasses authentication checks due to improper input validation, and gains command execution privileges on the device running the affected VxWorks kernel or D20MX firmware.

Prerequisites

Network reachability to SSH port (22) or web server ports (80/443) on the affected device
No credentials required
Ability to send network packets; low technical complexity

remotely exploitableno authentication requiredlow complexity attackhigh EPSS score (9.3%)affects safety-critical power system controlno patch available for some VxWorks versions

Exploitability

Moderate exploit probability (EPSS 9.3%)

Affected products (3)

1 with fix2 EOL

ProductAffected VersionsFix Status

GE D20MX: >=v1.0|<=1.6.2≥ v1.0|≤ 1.6.2v1.8 or later

VxWorks: >=5.5|<=6.9≥ 5.5|≤ 6.9No fix (EOL)

VxWorks: >=6.5|<=6.9≥ 6.5|≤ 6.9No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImmediately isolate affected control system networks from the Internet and business networks using firewalls to block inbound access to SSH and web server ports

WORKAROUNDIf remote access is required, implement secure tunneling methods such as VPNs; ensure VPN systems are kept current with security patches

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor GE D20MX devices: upgrade to firmware version 1.8 or newer using the documented upgrade procedures (TN0110 or TN0111)

HOTFIXFor VxWorks systems: contact Wind River technical support to obtain available patches for your specific VxWorks version (5.5 through 6.9)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: VxWorks: >=5.5|<=6.9, VxWorks: >=6.5|<=6.9. Apply the following compensating controls:

HARDENINGSegment your substation control network from corporate IT infrastructure and the Internet; ensure devices are not directly routable from external networks

CVEs (5)

CVE-2013-0711 CVE-2013-0713 CVE-2013-0714 CVE-2013-0715 CVE-2013-0716

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/267058e8-667c-4c0f-9f43-c6401998e653