Interpeak IPnet TCP/IP Stack (Update D)
Act Now9.8ICS-CERT ICSMA-19-274-01Oct 1, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple critical vulnerabilities (CVE-2019-12255, CVE-2019-12262, CVE-2019-12264, CVE-2019-12256) have been identified in the Interpeak IPnet TCP/IP stack, which is bundled in or integrated with OSE (ENEA), INTEGRITY RTOS (Green Hills Software), ZebOS (IP Infusion), VxWorks (Wind River), and some ITRON implementations. The vulnerabilities include buffer overflows (CWE-121, CWE-122), integer underflows (CWE-191), and integer overflow conditions (CWE-119) that can be triggered by remote, unauthenticated attackers via specially crafted network packets. Affected versions range from all versions of products that shipped with Interpeak IPnet to end-of-life versions (VxWorks <= 6.5). VxWorks bootrom network stack is also affected, though exploitation may be more difficult due to static IP configuration and lack of TCP port listeners. Successful exploitation allows remote code execution with potential for complete system compromise.
What this means
What could happen
Remote code execution on devices running embedded TCP/IP stacks based on Interpeak IPnet could allow an attacker to execute arbitrary commands on critical network infrastructure devices. This could disrupt communications, alter control logic, or stop operations depending on the device role.
Who's at risk
Water treatment and distribution systems, electric utility SCADA platforms, and any critical infrastructure relying on embedded devices running VxWorks, OSE, INTEGRITY RTOS, ZebOS, or ITRON platforms with Interpeak IPnet TCP/IP stack. This particularly affects older devices and legacy RTOSes that bundled or integrated Interpeak IPnet between 2003 and 2006.
How it could be exploited
An attacker with network access to a vulnerable device can send specially crafted network packets to trigger buffer overflows or integer underflow vulnerabilities in the Interpeak IPnet stack (CVE-2019-12255, CVE-2019-12262, CVE-2019-12264, CVE-2019-12256). No authentication is required. The attacker gains the ability to execute arbitrary code with the privileges of the network stack, typically at the kernel or system level on embedded devices.
Prerequisites
- Network connectivity to the affected device on any open port
- No authentication required
- Device must be running one of the affected RTOS platforms with Interpeak IPnet bundled or integrated
remotely exploitableno authentication requiredlow complexityhigh EPSS score (79.5%)no patch available for most affected productsaffects multiple embedded RTOS platformsdefault network configurations may be exposed
Exploitability
High exploit probability (EPSS 79.5%)
Affected products (8)
6 with fix1 pending1 EOL
ProductAffected VersionsFix Status
OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River - ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from 2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.4Fix available
OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River - Green Hills Software reports Interpeak IPnet was a third-party add-on for INTREGRITY RTOS from 2003-2006.≥ 2003 | ≤ 2006Fix available
OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River - The VxWorks bootrom network stack leverages the same IPnet source as VxWorks, as a result, is also technically vulnerable to CVE-2019-12256. The same patches and mitigations apply to VxWorks and the bootrom network stack; however, the bootrom normally uses statically assigned IP-addresses, not DHCP. If that is true, then the defects related to those protocols do not apply in practice. Also, a successful exploit of the bootrom network stack has a more difficult timing component. In typical applications, the bootrom does not listen to TCP-ports, which means that the TCP-related issues must be timed with the target downloading data from the network.All versionsFix available
OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River - VxWorks 653 MCE 3.x may be affected. Contact Wind River customer support (support@windriver.com) for more details.653 MCE 3.xFix available
AllAll versionsNo fix yet
ENEA OSE 55No fix (EOL)
OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River - Older, end-of-life≤ 6.5Fix available
OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River - The Interpeak IPnet stack has been identified to be affected by CVE-2019-12255, CVE-2019-12262, and CVE-2019-12264.All versionsFix available
Remediation & Mitigation
0/6
Do now
0/5All
HARDENINGFor all affected platforms: Implement network segmentation to restrict access to devices running vulnerable RTOS platforms; isolate embedded devices to a dedicated VLAN with firewall rules that block unnecessary inbound traffic
All products
HOTFIXContact Wind River PSIRT (PSIRT@windriver.com) to request VxWorks source code patches for your major version
HOTFIXFor INTEGRITY RTOS: Check with Green Hills Software support to confirm if your version includes the Interpeak IPnet add-on (2003-2006 timeframe) and request consulting services for mitigation strategies
WORKAROUNDDisable unnecessary network services and ports on affected embedded devices to reduce attack surface
WORKAROUNDFor VxWorks bootrom stack: If your bootrom uses static IP assignment (not DHCP), disable DHCP-related protocol support; ensure bootrom does not listen on TCP ports during normal operation
Long-term hardening
0/1HOTFIXFor OSE-based systems: Verify whether your devices are running OSE4/OSE5 with bundled Interpeak IPnet (2004-2006 versions); if so, plan replacement with OSENet-based versions
CVEs (11)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5e11647a-2c4b-436f-88c3-d4c54921c933