PHOENIX CONTACT: Advisory for multiple FL Switch GHS utilising VxWorks

VDE-2020-002 (2020-02-25 11:07 UTC+0200)

Affected Vendors

PHOENIX CONTACT

Affected Products

Article Article number Version
FL Switch GHS 4G/12 2700271 <= 3.3.0
FL Switch GHS 4G/12-L3 2700786 <= 3.3.0
FL Switch GHS 12G/8-L3 2700787 <= 3.3.0
FL Switch GHS 12G/8 2989200 <= 3.3.0

Vulnerability Type

Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)

Summary

CVS-2019-12255

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.

The vulnerability affects a little-known feature of the TCP/IP protocol, sending out-of-band data, also known as urgent data. Although the feature is rarely used in the real world, its implementation, consisting of an “Urgent Flag” and an “Urgent Pointer”, is present in the header of every TCP packet. Exploiting these vulnerabilities does therefore not depend on any specific configuration. If a VxWorks device communicates using the TCP protocol, it is vulnerable. It also does not matter which side initiates a TCP connection. An attacker can exploit the vulnerabilities if the VxWorks device is operated as a server that accepts TCP connections, if the VxWorks device connects to a malicious host operated by the attacker, or as a man-in-the-middle, manipulating a TCP connection between the VxWorks device and a legitimate host.

 

CVE-2019-12258

This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.

Impact

CVS-2019-12255

9.8 (CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

An attacker can either highjack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to.

The impact of the vulnerability is a buffer overflow of up to a full TCP receive-window. 

CVE-2019-12258

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.

Solution

Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated.

It needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation.

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:

Art.-Nr. 107913: AH EN INDUSTRIAL SECURITY “Measures to protect network-capable devices with Ethernet connection against unauthorized access”

Reported by

The vulnerabilities in VxWorks were published by Wind River Systems, Inc.