Executive Summary

Summary
Title Wind River Systems VxWorks debug service enabled by default
Informations
Name VU#362332 First vendor Publication 2010-08-02
Vendor VU-CERT Last vendor Modification 2010-08-25
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#362332

Wind River Systems VxWorks debug service enabled by default

Overview

Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called.

I. Description

The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system.

It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications.

Consult the VxWorks Kernel Programmer's guide for more information on WDB.

Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog.

II. Impact

An attacker can use the debug service to fully compromise the device.

III. Solution

Disable debug agent

Vendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components from their VxWorks Image.

Restrict access
Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it.

Vendor Information

VendorStatusDate NotifiedDate Updated
3com IncAffected2010-06-142010-07-27
Actelis NetworksAffected2010-06-292010-07-27
Alcatel-LucentAffected2010-06-142010-07-27
Allied TelesisAffected2010-06-292010-07-27
AlvarionAffected2010-06-292010-07-27
amxAffected2010-06-292010-07-27
Aperto NetworksAffected2010-06-292010-07-27
Apple Inc.Affected2010-06-142010-07-27
ARRISAffected2010-06-182010-07-27
Avaya, Inc.Affected2010-06-142010-07-27
BroadcomAffected2010-06-142010-07-27
BrocadeUnknown2010-08-032010-08-03
CanonNot Affected2010-06-182010-08-17
Ceragon Networks IncAffected2010-06-292010-07-27
Cisco Systems, Inc.Affected2010-06-142010-06-23
D-Link Systems, Inc.Affected2010-06-142010-07-27
Dell Computer Corporation, Inc.Affected2010-06-142010-07-27
DigicomAffected2010-06-292010-07-27
DrayTek CorporationAffected2010-06-292010-07-27
EMC CorporationAffected2010-06-142010-07-27
EnablenceAffected2010-06-292010-07-27
Enterasys NetworksAffected2010-06-182010-07-27
Epson America, Inc.Affected2010-06-182010-07-27
EricssonAffected2010-06-142010-07-27
Fluke NetworksAffected2010-06-142010-07-27
Foundry Networks, Inc.Affected2010-06-142010-07-27
Gilat Network SystemsAffected2010-06-292010-07-27
Guangzhou Gaoke CommunicationsAffected2010-06-292010-07-27
Hewlett-Packard CompanyAffected2010-06-142010-07-27
Huawei TechnoligiesAffected2010-06-182010-07-27
Intel CorporationUnknown2010-07-022010-07-27
IWATSU Voice NetworksAffected2010-06-292010-07-27
Keda CommunicationsAffected2010-06-292010-07-27
Knovative IncAffected2010-06-292010-07-27
LenovoAffected2010-06-142010-07-27
Lutron ElectronicsAffected2010-06-292010-07-27
Maipu Communication TechnologyAffected2010-06-292010-07-27
Mitel Networks, Inc.Affected2010-06-142010-07-27
Motorola, Inc.Affected2010-06-142010-07-27
Netgear, Inc.Affected2010-06-182010-07-27
NokiaAffected2010-06-182010-07-27
Nortel Networks, Inc.Affected2010-06-142010-07-27
PolycomAffected2010-06-142010-07-27
Proxim, Inc.Affected2010-06-142010-07-27
Rad Vision, Inc.Affected2010-06-142010-07-27
Ricoh Company Ltd.Affected2010-06-142010-08-06
Rockwell AutomationAffected2010-06-152010-07-30
Shoretel Communications, Inc.Affected2010-06-142010-07-27
SiemensAffected2010-06-142010-07-27
SMC Networks, Inc.Affected2010-06-182010-07-27
TRENDnetAffected2010-06-142010-07-27
Tut Systems, Inc.Affected2010-06-182010-07-27
Wind River Systems, Inc.Affected2010-06-142010-08-02
XeroxAffected2010-06-142010-07-27

References

http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml
http://seclists.org/vuln-dev/2002/May/179
http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01_VxWorks_Vulnerabilities.pdf
http://blogs.windriver.com/chauhan/2010/08/vxworks-secure.html
https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033708
http://thesauceofutterpwnage.blogspot.com/2010/08/metasploit-vxworks-wdb-agent-attack.html

Credit

Thanks to HD Moore for reporting a wider scope with additional research related to this vulnerability. Earlier public reports came from Bennett Todd and Shawn Merdinger.

This document was written by Jared Allar.

Other Information

Date Public:2010-08-02
Date First Published:2010-08-02
Date Last Updated:2010-08-25
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:14.04
Document Revision:50

Original Source

Url : http://www.kb.cert.org/vuls/id/362332

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 2
Os 22

OpenVAS Exploits

Date Description
2011-12-14 Name : VxWorks Debugging Service Security-Bypass Vulnerability
File : nvt/gb_xvworks_debugging_service_42158.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
66842 Wind River Systems' VxWorks WDB Debug Service Remote Arbitrary Memory Manipul...

VxWorks contains a flaw that may allow a remote attacker to read and write arbitrary memory on the device. The issue is triggered by leaving the WDB target agent debug service enabled by default.

Snort® IPS/IDS

Date Description
2014-01-10 VxWorks remote debugging agent login attempt
RuleID : 17110 - Revision : 5 - Type : APP-DETECT

Nessus® Vulnerability Scanner

Date Description
2010-08-06 Name : Arbitrary commands can be run on this port.
File : wdb_agent_detect.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2020-05-23 13:17:15
  • Multiple Updates
2014-02-17 12:07:46
  • Multiple Updates
2014-01-19 21:31:03
  • Multiple Updates