Reset Search
 

 

Article

VN-2019-002 - Vulnerabilities in Wind River VxWorks (URGENT/11)

« Go Back

Vulnerability Notice

 
Vulnerability Summary
Extreme Networks is reviewing and evaluating product and software exposure to the below listed CVEs reported for VxWorks based platforms, collectively known as "URGENT/11."

CVE-2019-12256, CVE-2019-12257, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, CVE-2019-12265
Products Potentially Affected
ERS Platforms (ERS 35xx, ERS 36xx, ERS 48xx, ERS 49xx and ERS 59xx)
EOS Platforms (S-Series, K-Series, and 7100)

No other platforms in our currently supported portfolio utilize VxWorks and only those listed above are impacted.
Impact Details
EOS Platforms (S-Series, K-Series, and 7100)
  • CVEs: 12256, 12260 - Not Vulnerable due to VxWorks version
  • CVE: 12259 - Not vulnerable (EOS prevents assigning multicast addresses to the host)
  • CVE: 12262 - Vulnerable, but can be mitigated with a Policy rule (see example below). A fix will be available in the next EOS release, v8.63.07
  • CVEs: 12257, 12265 - Vulnerable but can be mitigated with host ACLs.
  • CVEs: 12255, 12261, 12263 - Vulnerable, and a fix will be available in next EOS release, v8.63.07
  • CVE: 12264 - Further investigation required
  • CVE: 12258 - Vulnerable

ERS Platforms (ERS 35xx, ERS 36xx, ERS 48xx, ERS 49xx and ERS 59xx)
  • CVEs: 12256, 12260, 12263, 12257, 12264, 12259, 12265 - Not Vulnerable
  • CVEs: 12255, 12261, 12262: - Vulnerable, but an ACL mitigation exists except for ERS models 4900 and 5900 where this mitigation does not work on OOB ports.
  • CVE: 12258: - Vulnerable. No mitigation currently available.
Repair Recommendations
EOS Mitigation Configuration Example
CVE-2019-12262
Filter all RARP packets based on the EtherType:
set policy profile 1 pvid-status enable pvid 0
set policy rule admin-profile ether 0x8035 mask 16 admin-pid 1

ERS Mitigation Configuration Examples
CVE-2019-12262
Install a QoS traffic profile to filter packets based on EtherType (RARP EtherType is 0x8035)
qos traffic-profile classifier name NORARP ethertype 0x8035 drop-action enable eval-order 1
qos traffic-profile set port 2/10 name NORARP meter-mode classifier track-statistics individual
 
CVE 2019 12255, 12261
External Firewall Mitigation (From WindRiver)
For applications where devices reside behind a firewall, administrators can add a rule to drop/block any TCP-segment where the URG-flag is set. "Urgent data" is a feature that is used by very few applications - it had some uses in the early days of the Internet together with serial terminals, but it is not used by modern applications such as HTTP, SSH, SSL/TLS, etc.

Per-device mitigation. Use a QoS traffic profile to block TCP packets with URG-flag:
qos traffic-profile classifier name Traf1 addr-type ipv4 protocol 6 tcp-control u drop-action enable eval-order 1
qos traffic-profile set port 1/1 name Traf1 meter-mode classifier track-statistics individual
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255