www.cisa.gov
Open in
urlscan Pro
2600:1400:d:4a0::447a
Public Scan
Submitted URL: https://www.us-cert.gov/ics/advisories/icsa-19-274-01
Effective URL: https://www.cisa.gov/news-events/ics-advisories/icsa-19-274-01
Submission: On June 06 via api from IN — Scanned from US
Effective URL: https://www.cisa.gov/news-events/ics-advisories/icsa-19-274-01
Submission: On June 06 via api from IN — Scanned from US
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
Locally
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Contact Us
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. ICS Advisory
Share:
ICS Advisory
INTERPEAK IPNET TCP/IP STACK (UPDATE D)
Last Revised
May 12, 2020
Alert Code
ICSA-19-274-01
1. EXECUTIVE SUMMARY
* CVSS v3 9.8
* ATTENTION: Exploitable remotely/low skill level to exploit/public exploits
are available
* Vendors: ENEA, Green Hills Software, ITRON, IP Infusion, Wind River
* Equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS
by IP Infusion, and VxWorks by Wind River
* Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow,
Integer Underflow, Improper Restriction of Operations within the Bounds of a
Memory Buffer, Race Condition, Argument Injection, Null Pointer Dereference
CISA is aware of a public report detailing vulnerabilities found in the
Interpeak IPnet TCP/IP stack. The Interpeak IPnet stack vulnerabilities were
first reported under ICSA-19-211-01 Wind River VxWorks. These vulnerabilities
have expanded beyond the affected VxWorks systems and affect additional
real-time operating systems (RTOS). CISA has reached out to affected vendors of
the report and asked them to confirm the vulnerabilities and identify
mitigations. CISA is issuing this advisory to provide early notice of the
reported vulnerabilities and identify baseline mitigations for reducing risks to
these and other cybersecurity attacks.
2. UPDATE INFORMATION
This updated advisory is a follow-up to the updated advisory titled
ICSA-19-274-01 Interpeak IPnet TCP/IP Stack (Update C) that was published
February 18, 2020, to the ICS webpage on us-cert.gov.
3. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote code
execution.
4. TECHNICAL DETAILS
4.1 AFFECTED PRODUCTS
The Interpeak IPnet stack has been identified to be affected by CVE-2019-12255,
CVE-2019-12262, and CVE-2019-12264.
The following RTOS are affected:
ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from
2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.
Green Hills Software reports Interpeak IPnet was a third-party add-on for
INTEGRITY RTOS from 2003-2006.
Wind River reports the following versions of VxWorks are affected:
* All versions of VxWorks under CURRENT support (6.9.4.11, Vx7 SR540, Vx7
SR610) are affected by one or more of the CVE numbers detailed below.
* Older, end-of-life versions of VxWorks back to 6.5 are also affected by one
or more of the CVE numbers below.
* All versions of the discontinued product Advanced Networking Technology (ANT)
are likely affected by one or more of the CVE numbers below.
* The VxWorks bootrom network stack leverages the same IPnet source as VxWorks
and, as a result, is also technically vulnerable to CVE-2019-12256. The same
patches and mitigations apply to VxWorks and the bootrom network stack;
however, the bootrom normally uses statically assigned IP-addresses, not
DHCP. If that is true, then the defects related to those protocols do not
apply in practice. Also, a successful exploit of the bootrom network stack
has a more difficult timing component. In typical applications, the bootrom
does not listen to TCP-ports, which means that the TCP-related issues must be
timed with the target downloading data from the network.
* VxWorks 653 MCE 3.x may be affected. Contact Wind River customer support
(support@windriver.com(link sends email)) for more details.
The following VxWorks products are not affected:
* The latest release of VxWorks, VxWorks 7 SR620, is NOT affected by any of
these CVEs
* VxWorks 5.3 through VxWorks 6.4 inclusive are NOT affected.
* VxWorks Cert versions are NOT affected.
* VxWorks 653 Versions 2.x and earlier are NOT affected.
* VxWorks 653 MCE 3.x Cert Edition and later are NOT affected.
CISA will update this document as more mitigations are identified by affected
vendors.
4.2 VULNERABILITY OVERVIEW
4.2.1 STACK-BASED BUFFER OVERFLOW CWE-121(LINK IS EXTERNAL)
This vulnerability resides in the IPv4 option parsing and may be triggered by
IPv4 packets containing invalid options.
The most likely outcome of triggering this defect is that the tNet0 task
crashes. This vulnerability can result in remote code execution.
CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H(link is external)).
4.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122(LINK IS EXTERNAL)
DHCP packets may go past the local area network (LAN) via DHCP-relays, but are
otherwise confined to the LAN.
The DHCP-client may be used by VxWorks and in the bootrom. Bootrom, using
DHCP/BOOTP, is only vulnerable during the boot-process.
This vulnerability may be used to overwrite the heap, which could result in a
later crash when a task requests memory from the heap. This vulnerability can
result in remote code execution.
CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is
(AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H(link is external)).
4.2.3 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191(LINK IS EXTERNAL)
An attacker can either hijack an existing TCP session and inject bad TCP
segments or establish a new TCP session on any TCP port listened to by the
target.
This vulnerability could lead to a buffer overflow of up to a full TCP
receive-window (by default, 10k-64k depending on version). The buffer overflow
occurs in the task calling recv()/recvfrom()/recvmsg().
Applications that pass a buffer equal to or larger than a full TCP window are
not susceptible to this attack. Applications passing a stack-allocated variable
as a buffer are the easiest to exploit.
The most likely outcome is a crash of the application reading from the affected
socket, which could result in remote code execution.
CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H(link is external)).
4.2.4 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119(LINK IS EXTERNAL)
This vulnerability could lead to a buffer overflow of up to a full TCP receive
window (by default, 10k-64k depending on version). The buffer overflow happens
in the task calling recv()/recvfrom()/recvmsg().
Applications that pass a buffer equal to or larger than a full TCP window are
not susceptible to this attack. Applications passing a stack-allocated variable
as a buffer are the easiest to exploit.
The most likely outcome is a crash of the application reading from the affected
socket, which could result in remote code execution.
CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H(link is external)).
4.2.5 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119(LINK IS EXTERNAL)
The impact of this vulnerability is a buffer overflow of up to a full TCP
receive window (by default, 10k-64k depending on version). The buffer overflow
happens in the task calling recv()/recvfrom()/recvmsg().
Applications that pass a buffer equal to or larger than a full TCP window are
not susceptible to this attack. Applications passing a stack-allocated variable
as a buffer are the easiest to exploit.
The most likely outcome is a crash of the application reading from the affected
socket, which could result in remote code execution.
CVE-2019-12261 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H(link is external)).
4.2.6 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER
SYNCHRONIZATION ('RACE CONDITION') CWE-362(LINK IS EXTERNAL)
This vulnerability relies on a race-condition between the network task (tNet0)
and the receiving application. It is very difficult to trigger the race on a
system with a single CPU-thread enabled, and there is no way to reliably trigger
a race on SMP targets.
CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H(link is external)).
4.2.7 IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND ('ARGUMENT
INJECTION') CWE-88(LINK IS EXTERNAL)
An attacker with the source and destination TCP-port and IP-addresses of a
session can inject invalid TCP segments into the flow, causing the TCP-session
to be reset.
An application will see this as an ECONNRESET error message when using the
socket after such an attack.
The most likely outcome is a crash of the application reading from the affected
socket.
CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H(link is external)).
4.2.8 NULL POINTER DEREFERENCE CWE-476(LINK IS EXTERNAL)
This vulnerability requires that at least one IPv4 multicast address has been
assigned to the target in an incorrect way (e.g., using the API intended for
assigning unicast addresses).
An attacker may use CVE-2019-12264 to incorrectly assign a multicast IP-address.
An attacker on the same LAN as the target system may use this vulnerability to
cause a NULL pointer dereference, which most likely will crash the tNet0 task.
CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of
6.3 has been calculated; the CVSS vector string is
(AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H(link is external)).
4.2.9 IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND ('ARGUMENT
INJECTION') CWE-88(LINK IS EXTERNAL)
An attacker residing on the LAN can send reverse-ARP responses to the victim
system to assign unicast IPv4 addresses to the target.
CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of
7.1 has been calculated; the CVSS vector string is
(AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H(link is external)).
4.2.10 IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND ('ARGUMENT
INJECTION') CWE-88(LINK IS EXTERNAL)
An attacker residing on the LAN may choose to hijack a DHCP-client session that
requests an IPv4 address. The attacker can send a multicast IP address in the
DHCP offer/ack message, which the victim system then incorrectly assigns.
This vulnerability can be combined with CVE-2019-12259 to create a
denial-of-service condition.
CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of
7.1 has been calculated; the CVSS vector string is
(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H(link is external)).
4.2.11 IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND ('ARGUMENT
INJECTION') CWE-88(LINK IS EXTERNAL)
The IGMPv3 reception handler does not expect packets to be spread across
multiple IP-fragments.
CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been calculated; the CVSS vector string is
(AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L(link is external)).
4.3 BACKGROUND
* CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Information
Technology, Healthcare and Public Health, Transportation Systems, Water and
Wastewater Systems
* COUNTRIES/AREAS DEPLOYED: Worldwide
4.4 RESEARCHER
Armis researchers Gregory Vishnepolsky, Dor Zusman, and Ben Seri, reported these
vulnerabilities to CISA.
5. MITIGATIONS
Enea has no IPNet customers on support contract in the United States.
Green Hills Software has proactively informed affected users and offers
consulting services to implement mitigations.
Microsoft states they have no history of support or integration work to include
IPnet and have not released a version of ThreadX bundled with IPnet. Microsoft
does caution that some hardware makers could have used ThreadX and a custom set
IPnet in the hardware.
TRON Forum reports they only publish the specification for ITRON RTOS. Various
implementations are used by many users world-wide and are created by various
implementors (some commercial, and some academic and some government) according
the specification document. TRON Forum, the caretaker of the ITRON
specification, has not endorsed the use of any particular TCP/IP stack including
one from Interpeak. The choice of TCP/IP stack is up to the RTOS vendor and
application developers, and thus each application user needs to check whether
TCP/IP stack developed by Interpeak is used inside their application. TRON Forum
will send out a preliminary warning to members by mailing list to notify
implementors of the reported vulnerabilities.
ZebOS by IP Infusion has not yet responded to CISA inquiries.
Wind River has produced controls and patches to mitigate the reported
vulnerabilities. To obtain patches, email PSIRT@windriver.com(link sends email)
and indicate the VxWorks major version for which you need source patches.
For more detailed information on the vulnerabilities and the mitigating
controls, please see the Wind River advisory(link is external).
Additional vendors affected by the reported vulnerabilities have also released
security advisories related to their affected products. Those advisories are as
follows:
* ABB(link is external)
* Avaya(link is external)
* Belden Industrial Devices(link is external)
* ExtremeNetworks(link is external)
* Mitsubishi Electric(link is external)
* NetApp(link is external)
* Rockwell Automation(link is external)
* Schneider Electric(link is external)
--------- Begin Update D Part 1 of 1 ---------
* Siemens (Power Meters)(link is external)
--------- End Update D Part 1 of 1 ---------
* Siemens (RUGGEDCOM)(link is external)
* Siemens (SIPROTEC 5)(link is external)
* Sonicwall Firewalls(link is external)
* TrendMicro IPS(link is external)
* Woodward(link is external)
* Xerox Printers(link is external)
* Xylem(link is external)
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
* Minimize network exposure for all control system devices and/or systems, and
ensure that they are not accessible from the Internet.
* Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
* When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize that VPN is
only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment
prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies.
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
VENDOR
ENEA|Green Hills Software|ITRON|IP Infusion|Wind River
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
RELATED ADVISORIES
Jun 01, 2023
ICS Advisory | ICSA-23-152-01
ADVANTECH WEBACCESS/SCADA
Jun 01, 2023
ICS Advisory | ICSA-23-152-02
HID GLOBAL SAFE
May 30, 2023
ICS Advisory | ICSA-23-150-01
ADVANTECH WEBACCESS/SCADA
May 25, 2023
ICS Advisory | ICSA-23-145-01
MOXA MXSECURITY SERIES
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback