Wind River VxWorks (Update A)
Act Now9.8ICS-CERT ICSA-19-211-01Jul 30, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Wind River VxWorks TCP/IP stack (IPNET) contains multiple memory corruption vulnerabilities (buffer overflow, stack overflow, integer underflow, race condition, command injection) in versions 6.5 through 6.9.4.11 and Vx7 SR540/SR610. An attacker can send malicious TCP/IP packets to trigger these flaws and execute arbitrary code remotely. The vulnerabilities exist in the core TCP/IP stack used across VxWorks deployments, bootrom network stack, and Advanced Networking Technology (ANT). Affected products include controllers from Rockwell Automation, Xerox multifunction devices, Dräger medical/industrial equipment, and Schneider Electric industrial automation systems.
What this means
What could happen
An attacker with network access to a device running VxWorks could execute arbitrary code remotely, potentially taking control of industrial controllers, RTUs, or other embedded systems that manage critical infrastructure like power generation, water treatment, or manufacturing processes.
Who's at risk
This affects any organization running VxWorks (versions 6.5 and later, including 6.9.4.11, Vx7 SR540/SR610) in industrial controllers, programmable logic controllers (PLCs), remote terminal units (RTUs), network switches, power distribution systems, water treatment equipment, and any embedded system using the VxWorks operating system. Equipment from Rockwell Automation, Xerox, Dräger, and Schneider Electric is confirmed affected.
How it could be exploited
An attacker sends specially crafted TCP/IP packets to a vulnerable VxWorks device on the network. The TCP/IP stack (IPNET) contains memory corruption flaws that are triggered by these packets, allowing the attacker to execute arbitrary code with the same privileges as the affected device.
Prerequisites
- Network connectivity to a device running vulnerable VxWorks version
- No authentication or credentials required
- Device must have TCP/IP stack enabled and reachable from attacker's network segment
remotely exploitableno authentication requiredlow complexityhigh EPSS score (79.5%)no patch availableaffects critical infrastructure devices
Exploitability
High exploit probability (EPSS 79.5%)
Affected products (7)
5 pending2 EOL
ProductAffected VersionsFix Status
VxWorks: 6.9.4.116.9.4.11No fix yet
VxWorks Vx7: SR540SR540No fix yet
VxWorks Vx7: SR610SR610No fix yet
VxWorks End-of-Life: >=6.5≥ 6.5No fix yet
VxWorks 653: MCE_3.xMCE 3.xNo fix yet
Advanced Networking Technology (ANT): vers:all/*All versionsNo fix (EOL)
VxWorks bootrom network stack: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict network access to VxWorks devices—block inbound connections from untrusted networks; use firewall rules to limit traffic to required ports and sources only
HARDENINGVerify that all VxWorks-based devices are not directly accessible from the Internet; audit network topology and adjust accordingly
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXContact Wind River PSIRT (PSIRT@windriver.com) to request source patches for your specific VxWorks major version
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Advanced Networking Technology (ANT): vers:all/*, VxWorks bootrom network stack: vers:all/*. Apply the following compensating controls:
HARDENINGSegment control system networks and isolate from business network using firewalls and network access controls
HARDENINGIf remote access is required, deploy secure VPN tunnels and ensure VPN infrastructure is kept current with security updates
CVEs (11)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9fe4e346-da75-4b9b-959f-9cac27e089d7