Create Case

VN-2019-002 - Vulnerabilities in Wind River VxWorks (URGENT/11)

  • Article Type:
  • Vulnerability Notice
  • Article Number:
  • 000040646
  • Last Modified:
  • 11/5/2019

Vulnerability Summary

 
Extreme Networks is reviewing and evaluating product and software exposure to the below listed CVEs reported for VxWorks based platforms, collectively known as "URGENT/11."

CVE-2019-12256, CVE-2019-12257, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, CVE-2019-12265

Products Potentially Affected

 
ERS Platforms (ERS 35xx, ERS 36xx, ERS 48xx, ERS 49xx and ERS 59xx)
EOS Platforms (S-Series, K-Series, and 7100)

No other platforms in our currently supported portfolio utilize VxWorks and only those listed above are impacted.

Impact Details

 

EOS Platforms (S-Series, K-Series, and 7100)

  • CVEs: 12256, 12260 - Not vulnerable due to VxWorks version
  • CVE: 12259 - Not vulnerable (EOS prevents assigning multicast addresses to the host)
  • CVE: 12262 - Vulnerable, but can be mitigated with a Policy rule (see example below). A fix will be available in the next EOS release, v8.63.07
  • CVEs: 12257, 12265 - Vulnerable but can be mitigated with host ACLs. A fix will be available in the next EOS release, v8.63.07
  • CVEs: 12255, 12258, 12261, 12263, 12264 - Vulnerable. A fix will be available in next EOS release, v8.63.07

ERS Platforms (ERS 35xx, ERS 36xx, ERS 48xx, ERS 49xx and ERS 59xx)

  • CVEs: 12256, 12260, 12263, 12257, 12264, 12259, 12265 - Not Vulnerable
  • CVEs: 12255, 12261, 12262: - Vulnerable, but an ACL mitigation exists except for ERS models 4900 and 5900 where this mitigation does not work on OOB ports. Fixes will be available in the ERS releases noted below.
  • CVE: 12258: - Vulnerable. No mitigation currently available. Fixes will be available in the ERS releases noted below. Fixes will be available in the ERS releases noted below.
  Planned ERS software patch release dates:
  • ERS 49/5900 – Releases: 7.6.3.203 - Available; 7.7.1 - December 20, 2019
  • ERS 4800 – Release 5.12.5 - November 30, 2019
  • ERS 3500 – Release 5.3.11 – December 31, 2019
  • ERS 3600 – Release 6.3.2 – December 31, 2019

Repair Recommendations

 
EOS Mitigation Configuration Example
CVE-2019-12262
Filter all RARP packets based on the EtherType:
set policy profile 1 pvid-status enable pvid 0
set policy rule admin-profile ether 0x8035 mask 16 admin-pid 1

ERS Mitigation Configuration Examples
CVE-2019-12262
Install a QoS traffic profile to filter packets based on EtherType (RARP EtherType is 0x8035)
qos traffic-profile classifier name NORARP ethertype 0x8035 drop-action enable eval-order 1
qos traffic-profile set port 2/10 name NORARP meter-mode classifier track-statistics individual
 
CVE 2019 12255, 12261
External Firewall Mitigation (From WindRiver)
For applications where devices reside behind a firewall, administrators can add a rule to drop/block any TCP-segment where the URG-flag is set. "Urgent data" is a feature that is used by very few applications - it had some uses in the early days of the Internet together with serial terminals, but it is not used by modern applications such as HTTP, SSH, SSL/TLS, etc.

Per-device mitigation. Use a QoS traffic profile to block TCP packets with URG-flag:
qos traffic-profile classifier name Traf1 addr-type ipv4 protocol 6 tcp-control u drop-action enable eval-order 1
qos traffic-profile set port 1/1 name Traf1 meter-mode classifier track-statistics individual

Legal Notice

 
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Version Number

 

Feedback