Wind River VxWorks (Update A)

Act NowCVSS 9.8ICS-CERT ICSA-19-211-01Jul 30, 2019

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Wind River VxWorks TCP/IP stack (IPNET) contains multiple memory corruption vulnerabilities (buffer overflow, stack overflow, integer underflow, race condition, command injection) in versions 6.5 through 6.9.4.11 and Vx7 SR540/SR610. An attacker can send malicious TCP/IP packets to trigger these flaws and execute arbitrary code remotely. The vulnerabilities exist in the core TCP/IP stack used across VxWorks deployments, bootrom network stack, and Advanced Networking Technology (ANT). Affected products include controllers from Rockwell Automation, Xerox multifunction devices, Dräger medical/industrial equipment, and Schneider Electric industrial automation systems.

What this means

What could happen

An attacker with network access to a device running VxWorks could execute arbitrary code remotely, potentially taking control of industrial controllers, RTUs, or other embedded systems that manage critical infrastructure like power generation, water treatment, or manufacturing processes.

Who's at risk

This affects any organization running VxWorks (versions 6.5 and later, including 6.9.4.11, Vx7 SR540/SR610) in industrial controllers, programmable logic controllers (PLCs), remote terminal units (RTUs), network switches, power distribution systems, water treatment equipment, and any embedded system using the VxWorks operating system. Equipment from Rockwell Automation, Xerox, Dräger, and Schneider Electric is confirmed affected.

How it could be exploited

An attacker sends specially crafted TCP/IP packets to a vulnerable VxWorks device on the network. The TCP/IP stack (IPNET) contains memory corruption flaws that are triggered by these packets, allowing the attacker to execute arbitrary code with the same privileges as the affected device.

Prerequisites

Network connectivity to a device running vulnerable VxWorks version
No authentication or credentials required
Device must have TCP/IP stack enabled and reachable from attacker's network segment

remotely exploitableno authentication requiredlow complexityhigh EPSS score (79.5%)no patch availableaffects critical infrastructure devices

Exploitability

Likely to be exploited — EPSS score 82.4%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (7)

5 pending2 EOL

ProductAffected VersionsFix Status

VxWorks: 6.9.4.116.9.4.11No fix yet

VxWorks Vx7: SR540SR540No fix yet

VxWorks Vx7: SR610SR610No fix yet

VxWorks End-of-Life: >=6.5≥ 6.5No fix yet

VxWorks 653: MCE_3.xMCE 3.xNo fix yet

Advanced Networking Technology (ANT): vers:all/*All versionsNo fix (EOL)

VxWorks bootrom network stack: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to VxWorks devices—block inbound connections from untrusted networks; use firewall rules to limit traffic to required ports and sources only

HARDENINGVerify that all VxWorks-based devices are not directly accessible from the Internet; audit network topology and adjust accordingly

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Wind River PSIRT (PSIRT@windriver.com) to request source patches for your specific VxWorks major version

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Advanced Networking Technology (ANT): vers:all/*, VxWorks bootrom network stack: vers:all/*. Apply the following compensating controls:

HARDENINGSegment control system networks and isolate from business network using firewalls and network access controls

HARDENINGIf remote access is required, deploy secure VPN tunnels and ensure VPN infrastructure is kept current with security updates

CVEs (11)

CVE-2019-12256 CVE-2019-12257 CVE-2019-12255 CVE-2019-12260 CVE-2019-12261 CVE-2019-12263 CVE-2019-12258 CVE-2019-12259 CVE-2019-12262 CVE-2019-12264 CVE-2019-12265

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9fe4e346-da75-4b9b-959f-9cac27e089d7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.