Summary
CVS-2019-12255
Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.
The vulnerability affects a little-known feature of the TCP/IP protocol, sending out-of-band data, also known as urgent data. Although the feature is rarely used in the real world, its implementation, consisting of an 'Urgent Flag' and an 'Urgent Pointer', is present in the header of every TCP packet. Exploiting these vulnerabilities does therefore not depend on any specific configuration. If a VxWorks device communicates using the TCP protocol, it is vulnerable. It also does not matter which side initiates a TCP connection. An attacker can exploit the vulnerabilities if the VxWorks device is operated as a server that accepts TCP connections, if the VxWorks device connects to a malicious host operated by the attacker, or as a man-in-the-middle, manipulating a TCP connection between the VxWorks device and a legitimate host.
CVE-2019-12258
This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.
Impact
CVS-2019-12255
An attacker can either highjack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to.
The impact of the vulnerability is a buffer overflow of up to a full TCP receive-window.
CVE-2019-12258
This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 2989200 | FL Switch GHS 12G/8 | Firmware <=3.3.0 |
| 2700787 | FL Switch GHS 12G/8-L3 | Firmware <=3.3.0 |
| 2700271 | FL Switch GHS 4G/12 | Firmware <=3.3.0 |
| 2700786 | FL Switch GHS 4G/12-L3 | Firmware <=3.3.0 |
Vulnerabilities
Expand / Collapse allWind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.
Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.
Remediation
Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated.
It needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation.
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 02/25/2020 10:07 | initial revision |
| 2 | 06/05/2025 15:28 | Fix: added distribution, quotation mark |