Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and vx7 has an array index error in the IGMPv3 client component. There is an IPNET security vulnerability: DoS via NULL dereference in IGMP parsing.

Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and vx7 has an array index error in the IGMPv3 client component. There is an IPNET security vulnerability: DoS via NULL dereference in IGMP parsing.

  - Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and vx7 has an array index error in the IGMPv3 client component.
    There is an IPNET security vulnerability: DoS via NULL dereference in IGMP parsing. (CVE-2019-12259)

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

The version of VxWorks installed on the remote host is 6.9.x, prior to 6.9.4.12, or 7 (SR540), or 7 (SR540), and is affected by multiple vulnerabilities :

 - A specially crafted IPv4 packet, containing invalid encoded SSRR/LSRR options, may cause call-stack overflow. No specific services beyond IPv4 protocol support is required. (CVE-2019-12256)
 - A specially crafted packet containing illegal TCP-options can result in the victim not just dropping the TCP-segment but also drop the TCP-session. (CVE-2019-12258)
 - This vulnerability require that the TCP/IP-stack is assigned a multicast address the API intended for assigning unicast addresses or something with the same logical flaw is a prerequisite. (CVE-2019-12259)
 - A series of specially crafted TCP-segments where the last step is a TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or 'recvmsg()' socket routines. (CVE-2019-12260)
 - A specially crafted response to the connection attempt, where also the FIN- and URG-flags are set is sent as a response. This may put the victim into an inconsistent state, which make it possible to send yet another segment that trigger a buffer overflow. (CVE-2019-12261)
 - The RARP reception handler verifies that the packet is well formed, but fails to verify that the node has an ongoing RARP-transaction matching the received packet. (CVE-2019-12262)
 - A series of segments with and without the URG-flag set must arrive with a very specific timing while an application on the victim is receiving from the session. The victim must be using a SMP-kernel and two or more CPU-cores alternatively an uni-processor kernel where the receiving task and the network task executes at different priorities. (CVE-2019-12263)
 - The VxWorks DHCP client fails to properly validate that the offered IP-address in a DHCP renewal or offer response contains a valid unicast address. An attacker may assign multicast or broadcast addresses to the victim. (CVE-2019-12264)
 - An attacker can create specially crafted and fragmented IGMPv3 query report, which may result in the victim transmitting undefined buffer content. (CVE-2019-12265)

According to its self-reported version, the remote Xerox WorkCentre is  affected by multiple remote code execution and denial-of-service vulnerabilities in the IPnet TCP/IP stack. An unauthenticated, remote, attacker could leverage these vulnerabilities to gain full access to the affected device or to cause the device to become unresponsive.

According to its self-reported version, the remote device is potentially affected by multiple Wind River VxWorks remote code execution and denial-of-service vulnerabilities in the IPnet TCP/IP stack. An unauthenticated, remote, attacker could leverage these vulnerabilities to gain full access to the affected device or to cause the device to become unresponsive.

Note that Nessus has not checked for the presence of the patch so this finding may be a false positive.

According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected by multiple vulnerabilities:

  - Stack overflow in the parsing of IPv4 packets IP options. (CVE-2019-12256)

  - TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255)

  - TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260)

  - TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261)

  - TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263)

  - Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)

  - TCP connection DoS via malformed TCP options (CVE-2019-12258)

  - Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)

  - Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)

  - DoS via NULL dereference in IGMP parsing (CVE-2019-12259)

  - IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
500058	Siemens Null Pointer Dereference in Wind River VxWorks (CVE-2019-12259)	Tenable OT Security	Tenable.ot	high
701083	VxWorks 6.9.x < 6.9.4.12 / 7 (SR540) / 7 (SR610) Multiple Vulnerabilities (URGENT/11)	Nessus Network Monitor	IoT	critical
127109	Xerox WorkCentre Multiple Vulnerabilities (XRX19-016) (URGENT/11)	Nessus	Misc.	critical
127108	Wind River VxWorks Multiple Vulnerabilities (URGENT/11)	Nessus	Misc.	critical
127107	SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11)	Nessus	Firewalls	critical

Detections

Analytics

CVE-2019-12259

high

Tenable Plugins

high

critical

critical

critical

critical