Detections
Analytics
VxWorks 6.x < 6.9.4 Multiple Vulnerabilities (URGENT/11)
critical Nessus Network Monitor Plugin ID 701084
Synopsis
The remote host is running VxWorks embedded Operating System that is affected by multiple attack vectors.Description
The version of VxWorks installed on the remote host is 6.x, prior to 6.9.4, and is affected by multiple vulnerabilities :- A specially crafted TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines. (CVE-2019-12255)
- A specially crafted IPv4 packet, containing invalid encoded SSRR/LSRR options, may cause call-stack overflow. No specific services beyond IPv4 protocol support is required. (CVE-2019-12257)
Solution
Update to VxWorks version 6.9.4 or later.See Also
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11
Plugin Details
Severity: Critical
ID: 701084
Family: IoT
Published: 7/29/2019
Updated: 7/29/2019
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Patch Publication Date: 7/19/2019
Vulnerability Publication Date: 7/19/2019
Reference Information
CVE: CVE-2019-12255, CVE-2019-12257