Interpeak IPnet TCP/IP Stack (Update E)

Act NowCVSS 9.8ICS-CERT ICSA-19-274-01Oct 1, 2019

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Interpeak IPnet TCP/IP stack contains multiple buffer overflow (CWE-121, CWE-122), integer underflow (CWE-191), and memory safety vulnerabilities (CWE-119, CWE-362, CWE-88, CWE-476) that allow remote code execution. The stack is embedded in VxWorks RTOS (versions 6.5 through current SR releases), Enea OSE (versions 4 and 5), Enea INTEGRITY RTOS (2003–2006), and Advanced Networking Technology (ANT). A remote attacker can send a specially crafted network packet to trigger memory corruption and execute arbitrary code at kernel level. Affected products include industrial control systems from Siemens, Rockwell Automation, Mitsubishi Electric, ABB, Schneider Electric, Woodward, and many others that bundle VxWorks or OSE with Interpeak IPnet.

What this means

What could happen

Multiple buffer overflow and memory corruption vulnerabilities in the Interpeak IPnet TCP/IP stack could allow an attacker with network access to execute arbitrary code on industrial devices, potentially enabling control of PLCs, SCADA systems, and safety equipment that depend on this network stack.

Who's at risk

Water authorities and municipal utilities relying on industrial control systems are critical. This vulnerability affects devices using VxWorks RTOS (especially 6.5+ and VxWorks 7 series), Enea OSE real-time OS, Mitsubishi Electric PLCs, Rockwell Automation controllers, Siemens protection relays and power meters, Schneider Electric devices, ABB equipment, Woodward governors, and any industrial device combining these RTOSes with Interpeak's IPnet TCP/IP stack. SCADA systems, RTUs, PLCs, safety controllers, and network-connected instruments are at risk.

How it could be exploited

An attacker on the network sends specially crafted TCP/IP packets to a device running the affected Interpeak IPnet stack. The stack fails to properly validate packet size or structure, triggering a memory corruption flaw (buffer overflow or integer underflow) that allows the attacker to overwrite memory and execute arbitrary code with the privileges of the network stack—typically kernel-level.

Prerequisites

Network reachability to any port on devices running affected stack (VxWorks 6.5+, OSE4/OSE5, INTEGRITY RTOS 2003-2006, ANT, or Interpeak IPnet directly)
No authentication required for exploit
Attacker need only send crafted network packets

Remotely exploitable over networkNo authentication requiredLow complexity—attacker sends crafted packetsHigh EPSS score (79.5%)No vendor fix available—end-of-life or unsupported productsAffects safety-critical systems and real-time control devicesKnown to impact multiple critical infrastructure sectors

Exploitability

Likely to be exploited — EPSS score 82.4%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (9)

5 pending4 EOL

ProductAffected VersionsFix Status

OSE: OSE5OSE5No fix (EOL)

OSE: OSE4OSE4No fix (EOL)

INTEGRITY RTOS: >=2003|<=2006≥ 2003|≤ 2006No fix (EOL)

VxWorks under CURRENT support (6.9.4.11, Vx7 SR540, Vx7 SR610): vers:all/*All versionsNo fix yet

VxWorks: >=6.5≥ 6.5No fix yet

Interpeak IPnet TCP/IP Stack: vers:all/*All versionsNo fix (EOL)

VxWorks bootrom network stack: vers:all/*All versionsNo fix yet

VxWorks 653: MCE_3.xMCE 3.xNo fix yet

Remediation & Mitigation

0/5

Do now

0/5

HOTFIXContact Wind River PSIRT (PSIRT@windriver.com) to request source patches for your VxWorks major version. Apply patches immediately via firmware update to a scheduled maintenance window.

HOTFIXFor non-VxWorks products: contact your device vendor (ABB, Siemens, Rockwell Automation, Mitsubishi Electric, Schneider Electric, Woodward, etc.) and request security patches—many have released advisories.

HARDENINGImplement network segmentation to isolate control system networks from business networks and the internet. Ensure no control devices running affected stack are directly reachable from untrusted networks.

WORKAROUNDDeploy firewall rules to restrict network traffic to control system devices to only necessary ports and authorized IP addresses. Block inbound traffic from the internet.

HARDENINGIf remote access is required for engineering or support, use a VPN and restrict VPN access to authorized personnel only. Ensure VPN is kept up to date.

CVEs (11)

CVE-2019-12256 CVE-2019-12257 CVE-2019-12255 CVE-2019-12260 CVE-2019-12261 CVE-2019-12263 CVE-2019-12258 CVE-2019-12259 CVE-2019-12262 CVE-2019-12264 CVE-2019-12265

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ed5ce990-d55e-4f34-b273-25b56d322d8f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.