Share: Email | Twitter

ID

VDE-2020-002

Published

2020-02-25 10:07 (CET)

Last update

2020-02-25 10:07 (CET)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
2989200 FL Switch GHS 12G/8 <= 3.3.0
2700787 FL Switch GHS 12G/8-L3 <= 3.3.0
2700271 FL Switch GHS 4G/12 <= 3.3.0
2700786 FL Switch GHS 4G/12-L3 <= 3.3.0

Summary

CVS-2019-12255

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.

The vulnerability affects a little-known feature of the TCP/IP protocol, sending out-of-band data, also known as urgent data. Although the feature is rarely used in the real world, its implementation, consisting of an “Urgent Flag” and an “Urgent Pointer”, is present in the header of every TCP packet. Exploiting these vulnerabilities does therefore not depend on any specific configuration. If a VxWorks device communicates using the TCP protocol, it is vulnerable. It also does not matter which side initiates a TCP connection. An attacker can exploit the vulnerabilities if the VxWorks device is operated as a server that accepts TCP connections, if the VxWorks device connects to a malicious host operated by the attacker, or as a man-in-the-middle, manipulating a TCP connection between the VxWorks device and a legitimate host.

CVE-2019-12258

This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.

Vulnerabilities



Last Update
6. April 2020 09:28
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary
Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.
Last Update
6. April 2020 09:28
Weakness
Session Fixation (CWE-384)
Summary
Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.

Impact

CVS-2019-12255

An attacker can either highjack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to.

The impact of the vulnerability is a buffer overflow of up to a full TCP receive-window.

CVE-2019-12258

This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.

Solution

Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated.

It needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation.

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:

Art.-Nr. 107913: AH EN INDUSTRIAL SECURITY “Measures to protect network-capable devices with Ethernet connection against unauthorized access”

Reported by

The vulnerabilities in VxWorks were published by Wind River Systems, Inc.