var-201008-0270
Vulnerability from variot
The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804. VxWorks Authentication API (loginLib) The hash function used in has a deficiency in collision resistance. It is relatively easy to find a string that has the same hash value as a regular password.Authentication by attacker API (loginLib) May be used to access services using. The problem is CVE-2005-3804 May be related toBy a third party UDP An arbitrary memory area may be read or modified, a function call executed, or a task managed through a request to the port. VxWorks is an embedded real-time operating system. VxWorks has multiple security vulnerabilities that allow an attacker to bypass security restrictions and gain unauthorized access to the system. -VxWorks The WDB target agent runs as a task in VxWorks, which is an optional component in the VxWorks configuration that is enabled by default. It is recommended to reconfigure VxWorks that contain the components required for operations and build the appropriate system image type. It is recommended to remove the WEB target proxy and debug components (INCLUDE_WDB and INCLUDE_DEBUG) and other operating system components that do not need to support the client application. - The HASK algorithm for the standard authentication API under VxWorks is vulnerable to collisions, and attackers with known usernames can access (telnet, rlogin or FTP) services using a standard authentication API (loginDefaultEncrypt(), part of loginLib) in a relative The brute force password is cracked in a short period of time. Since the HASH algorithm is vulnerable to collision, it is not necessary to find the actual password, as long as a string is used to generate the same HASH. For example, when logging in with the default 'target/password', 'y{{{{{SS' will HASH out the same result as 'password'. So you can use 'password' and 'y{{{{{SS' as the password to log in. Permissions and access control vulnerabilities exist in the WDB Target Agent Debugging Service in Wind River VxWorks 6.x, 5.x and earlier. VxWorks is prone to a remote security-bypass vulnerability. Successful exploits will allow remote attackers to perform debugging tasks on the vulnerable device. The issue affects multiple products from multiple vendors that ship with the VxWorks operating system. NOTE: This issue was previously covered in BID 42114 (VxWorks Multiple Security Vulnerabilities) but has been separated into its own record to better document it. R7-0035: VxWorks Authentication Library Weak Password Hashing August 2, 2010
-- Vulnerability Details: This vulnerability allows remote attackers to bypass the authentication process for the Telnet and FTP services of the VxWorks operating system. This flaw occurs due to an insecure password hashing implementation in the authentication library (loginLib) of the VxWorks operating system. Regardless of what password is set for a particular account, there are a only small number (~210k) of possible hash outputs. Typical passwords consisting of alphanumeric characters and symbols fall within an even smaller range of hash outputs (~8k), making this trivial to brute force over the network. To excaberate matters, loginLib has no support for account lockouts and the FTP daemon does not disconnect clients that consistently fail to authenticate. This reduces the brute force time for the FTP service to approximately 30 minutes.
To demonstrate the hash weakness, the password of "insecure" hashes to the value "Ry99dzRcy9". The hashing algorithm itself is based on an additive sum with a small XOR operation. The resulting sums are then transformed to a printable string, but the range of possible intermediate values is limited and mostly sequential. The entire collision table has been precomputed and will be released in early September as an input file for common brute force tools. More information about the hashing algorithm itself is available at the Metasploit blog post below:
http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
There are three requirements for this vulnerability to be exploited:
-
The device must be running at least one service that uses loginLib for authentication. Telnet and FTP do so by default.
-
A valid username must be known to the attacker. This is usually easy to determine through product manuals or a cursory review of the firmware binaries.
-
The target service must be using with default loginLib library and must not have changed the authentication function to point to a custom backend.
A typical VxWorks device will meet all three requirements by default, but customization by the device manufacturer may preclude this from being exploited. In general, if the device displays a VxWorks banner for Telnet or FTP, it is more than likely vulnerable.
-- Vendor Response: Wind River Systems has notified their customers of the issue and suggested that each downstream vendor replace the existing hash implementation with SHA512 or SHA256. The exact extent of the vulnerability and the complete list of affected devices is not known at this time. Example code from Wind River Systems has been supplied to CERT and is included in the advisory below:
http://www.kb.cert.org/vuls/id/840249
-- Disclosure Timeline: 2009-06-02 - Vulnerability reported to CERT for vendor notification 2009-08-02 - Coordinated public release of advisory
-- Credit: This vulnerability was discovered by HD Moore
-- About Rapid7 Security Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool.
Our vulnerability disclosure policy is available online at:
http://www.rapid7.com/disclosure.jsp
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201008-0270",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "river systems vxworks through",
"scope": "eq",
"trust": 1.0,
"vendor": "wind",
"version": "6.56.9"
},
{
"model": "1756-enbt\\/a",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "3.2.6"
},
{
"model": "1756-enbt\\/a",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "3.6.1"
},
{
"model": "vxworks",
"scope": "lte",
"trust": 1.0,
"vendor": "windriver",
"version": "6.9.4.12"
},
{
"model": "vxworks",
"scope": null,
"trust": 0.8,
"vendor": "wind river",
"version": null
},
{
"model": "1756-enbt series a",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "1756-enbt series a",
"scope": "eq",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "3.2.6 and 3.6.1"
},
{
"model": "vxworks",
"scope": "eq",
"trust": 0.8,
"vendor": "wind river",
"version": "6.x"
},
{
"model": "vxworks",
"scope": "lte",
"trust": 0.8,
"vendor": "wind river",
"version": "5.x"
},
{
"model": null,
"scope": null,
"trust": 0.6,
"vendor": "no",
"version": null
},
{
"model": "1756-enbt series a",
"scope": null,
"trust": 0.6,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "phaser 3635mfp",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "0"
},
{
"model": "river systems vxworks",
"scope": "eq",
"trust": 0.3,
"vendor": "wind",
"version": "0"
},
{
"model": "oronoco ap600",
"scope": "eq",
"trust": 0.3,
"vendor": "proxim",
"version": "2.5.5(1070)"
},
{
"model": "oronoco ap600",
"scope": "eq",
"trust": 0.3,
"vendor": "proxim",
"version": "2.5.3(914)"
},
{
"model": "oronoco ap600",
"scope": "eq",
"trust": 0.3,
"vendor": "proxim",
"version": "2.5.2(894)"
},
{
"model": "oronoco ap600",
"scope": "eq",
"trust": 0.3,
"vendor": "proxim",
"version": "2.4.5(758)"
},
{
"model": "oronoco ap600",
"scope": "eq",
"trust": 0.3,
"vendor": "proxim",
"version": "2.4.11(821)"
},
{
"model": "oronoco ap600",
"scope": "eq",
"trust": 0.3,
"vendor": "proxim",
"version": "2.2.0(460)"
},
{
"model": "oronoco ap600",
"scope": "eq",
"trust": 0.3,
"vendor": "proxim",
"version": "2.1.1(403)"
},
{
"model": "oronoco ap600",
"scope": null,
"trust": 0.3,
"vendor": "proxim",
"version": null
},
{
"model": "grandslam",
"scope": "eq",
"trust": 0.3,
"vendor": "paradyne",
"version": "4200"
},
{
"model": "networks wlan access point",
"scope": "eq",
"trust": 0.3,
"vendor": "nortel",
"version": "2220"
},
{
"model": "networks passport",
"scope": "eq",
"trust": 0.3,
"vendor": "nortel",
"version": "1100/1150/1200/1250"
},
{
"model": "networks optical trouble ticketing",
"scope": "eq",
"trust": 0.3,
"vendor": "nortel",
"version": "0"
},
{
"model": "cmts038-007 cmts2.6.0",
"scope": null,
"trust": 0.3,
"vendor": "kathrein",
"version": null
},
{
"model": "cmts038-007 cmts2.17.0",
"scope": null,
"trust": 0.3,
"vendor": "kathrein",
"version": null
},
{
"model": "cmts038-007 cmts2.14.0",
"scope": null,
"trust": 0.3,
"vendor": "kathrein",
"version": null
},
{
"model": "cmts038-007 cmts2.11.0",
"scope": null,
"trust": 0.3,
"vendor": "kathrein",
"version": null
},
{
"model": "gaoke co mg6000 voip gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "",
"version": "0"
},
{
"model": "networks edgeiron 4802f",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "1.4.8"
},
{
"model": "networks edgeiron 4802f",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "1.3.7"
},
{
"model": "networks edgeiron 4802f",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "0"
},
{
"model": "ons 15454sdh",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "ons",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "154540"
},
{
"model": "ip phone",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7920"
},
{
"model": "cadant c3 cmts",
"scope": "eq",
"trust": 0.3,
"vendor": "arris",
"version": "0"
},
{
"model": "omniswitch 5.1.5.245.r04",
"scope": null,
"trust": 0.3,
"vendor": "alcatel lucent",
"version": null
}
],
"sources": [
{
"db": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1"
},
{
"db": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"db": "BID",
"id": "42158"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001882"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-029"
},
{
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:windriver:vxworks:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.9.4.12",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:rockwellautomation:1756-enbt\\/a_firmware:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:rockwellautomation:1756-enbt\\/a_firmware:3.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1756-enbt\\/a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "HD Moore",
"sources": [
{
"db": "BID",
"id": "42158"
}
],
"trust": 0.3
},
"cve": "CVE-2010-2965",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2010-2965",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2010-3891",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "7d738f00-463f-11e9-ac13-000c29342cb1",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "017253fa-2356-11e6-abef-000c29c66e3d",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-45570",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2010-2965",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2010-3891",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201008-029",
"trust": 0.6,
"value": "LOW"
},
{
"author": "IVD",
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "IVD",
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1",
"trust": 0.2,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-45570",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1"
},
{
"db": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1"
},
{
"db": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"db": "VULHUB",
"id": "VHN-45570"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-029"
},
{
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804. VxWorks Authentication API (loginLib) The hash function used in has a deficiency in collision resistance. It is relatively easy to find a string that has the same hash value as a regular password.Authentication by attacker API (loginLib) May be used to access services using. The problem is CVE-2005-3804 May be related toBy a third party UDP An arbitrary memory area may be read or modified, a function call executed, or a task managed through a request to the port. VxWorks is an embedded real-time operating system. VxWorks has multiple security vulnerabilities that allow an attacker to bypass security restrictions and gain unauthorized access to the system. -VxWorks The WDB target agent runs as a task in VxWorks, which is an optional component in the VxWorks configuration that is enabled by default. It is recommended to reconfigure VxWorks that contain the components required for operations and build the appropriate system image type. It is recommended to remove the WEB target proxy and debug components (INCLUDE_WDB and INCLUDE_DEBUG) and other operating system components that do not need to support the client application. - The HASK algorithm for the standard authentication API under VxWorks is vulnerable to collisions, and attackers with known usernames can access (telnet, rlogin or FTP) services using a standard authentication API (loginDefaultEncrypt(), part of loginLib) in a relative The brute force password is cracked in a short period of time. Since the HASH algorithm is vulnerable to collision, it is not necessary to find the actual password, as long as a string is used to generate the same HASH. For example, when logging in with the default \u0027target/password\u0027, \u0027y{{{{{SS\u0027 will HASH out the same result as \u0027password\u0027. So you can use \u0027password\u0027 and \u0027y{{{{{SS\u0027 as the password to log in. Permissions and access control vulnerabilities exist in the WDB Target Agent Debugging Service in Wind River VxWorks 6.x, 5.x and earlier. VxWorks is prone to a remote security-bypass vulnerability. \nSuccessful exploits will allow remote attackers to perform debugging tasks on the vulnerable device. \nThe issue affects multiple products from multiple vendors that ship with the VxWorks operating system. \nNOTE: This issue was previously covered in BID 42114 (VxWorks Multiple Security Vulnerabilities) but has been separated into its own record to better document it. R7-0035: VxWorks Authentication Library Weak Password Hashing\nAugust 2, 2010\n\n-- Vulnerability Details:\nThis vulnerability allows remote attackers to bypass the authentication\nprocess for the Telnet and FTP services of the VxWorks operating system. \nThis flaw occurs due to an insecure password hashing implementation in\nthe authentication library (loginLib) of the VxWorks operating system. \nRegardless of what password is set for a particular account, there are a\nonly small number (~210k) of possible hash outputs. Typical passwords\nconsisting of alphanumeric characters and symbols fall within an even\nsmaller range of hash outputs (~8k), making this trivial to brute force\nover the network. To excaberate matters, loginLib has no support for\naccount lockouts and the FTP daemon does not disconnect clients that\nconsistently fail to authenticate. This reduces the brute force time for\nthe FTP service to approximately 30 minutes. \n\nTo demonstrate the hash weakness, the password of \"insecure\" hashes to\nthe value \"Ry99dzRcy9\". The hashing algorithm itself is based on an additive sum\nwith a small XOR operation. The resulting sums are then transformed to a\nprintable string, but the range of possible intermediate values is\nlimited and mostly sequential. The entire collision table has been\nprecomputed and will be released in early September as an input file for\ncommon brute force tools. More information about the hashing algorithm\nitself is available at the Metasploit blog post below:\n\n http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html\n\nThere are three requirements for this vulnerability to be exploited:\n\n * The device must be running at least one service that uses loginLib\nfor authentication. Telnet and FTP do so by default. \n\n * A valid username must be known to the attacker. This is usually easy\nto determine through product manuals or a cursory review of the firmware\nbinaries. \n\n * The target service must be using with default loginLib library and\nmust not have changed the authentication function to point to a custom\nbackend. \n\nA typical VxWorks device will meet all three requirements by default,\nbut customization by the device manufacturer may preclude this from\nbeing exploited. In general, if the device displays a VxWorks banner for\nTelnet or FTP, it is more than likely vulnerable. \n\n-- Vendor Response:\nWind River Systems has notified their customers of the issue and\nsuggested that each downstream vendor replace the existing hash\nimplementation with SHA512 or SHA256. The exact extent of the\nvulnerability and the complete list of affected devices is not known at\nthis time. Example code from Wind River Systems has been supplied to\nCERT and is included in the advisory below:\n\n http://www.kb.cert.org/vuls/id/840249\n\n-- Disclosure Timeline:\n2009-06-02 - Vulnerability reported to CERT for vendor notification\n2009-08-02 - Coordinated public release of advisory\n\n-- Credit:\nThis vulnerability was discovered by HD Moore\n\n-- About Rapid7 Security\nRapid7 provides vulnerability management, compliance and penetration\ntesting solutions for Web application, network and database security. In\naddition to developing the NeXpose Vulnerability Management system,\nRapid7 manages the Metasploit Project and is the primary sponsor of the\nW3AF web assessment tool. \n\nOur vulnerability disclosure policy is available online at:\n\n http://www.rapid7.com/disclosure.jsp\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-2965"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001882"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"db": "BID",
"id": "42158"
},
{
"db": "IVD",
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1"
},
{
"db": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1"
},
{
"db": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-45570"
},
{
"db": "PACKETSTORM",
"id": "92449"
}
],
"trust": 4.59
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#362332",
"trust": 4.0
},
{
"db": "NVD",
"id": "CVE-2010-2965",
"trust": 3.8
},
{
"db": "CNNVD",
"id": "CNNVD-201008-029",
"trust": 1.1
},
{
"db": "CNVD",
"id": "CNVD-2010-1489",
"trust": 1.0
},
{
"db": "CNVD",
"id": "CNVD-2010-3891",
"trust": 1.0
},
{
"db": "CERT/CC",
"id": "VU#840249",
"trust": 0.9
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001882",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612",
"trust": 0.8
},
{
"db": "BID",
"id": "42114",
"trust": 0.6
},
{
"db": "BID",
"id": "42158",
"trust": 0.4
},
{
"db": "IVD",
"id": "BAB59964-1FB2-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "7D72F2C0-463F-11E9-98F5-000C29342CB1",
"trust": 0.2
},
{
"db": "IVD",
"id": "7D738F00-463F-11E9-AC13-000C29342CB1",
"trust": 0.2
},
{
"db": "IVD",
"id": "017253FA-2356-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-45570",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "92449",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1"
},
{
"db": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1"
},
{
"db": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"db": "VULHUB",
"id": "VHN-45570"
},
{
"db": "BID",
"id": "42158"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001882"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"db": "PACKETSTORM",
"id": "92449"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-029"
},
{
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"id": "VAR-201008-0270",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1"
},
{
"db": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1"
},
{
"db": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"db": "VULHUB",
"id": "VHN-45570"
}
],
"trust": 2.5176819200000002
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 2.0
}
],
"sources": [
{
"db": "IVD",
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1"
},
{
"db": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1"
},
{
"db": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"db": "CNVD",
"id": "CNVD-2010-3891"
}
]
},
"last_update_date": "2024-07-23T22:14:01.941000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://windriver.com/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.rockwellautomation.com/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://windriver.com/index.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001882"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-863",
"trust": 1.0
},
{
"problemtype": "CWE-264",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45570"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.4,
"url": "http://www.kb.cert.org/vuls/id/362332"
},
{
"trust": 2.1,
"url": "http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html"
},
{
"trust": 1.7,
"url": "http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=69735"
},
{
"trust": 1.7,
"url": "http://www.kb.cert.org/vuls/id/mapg-86epfa"
},
{
"trust": 1.7,
"url": "http://www.kb.cert.org/vuls/id/mapg-86fpql"
},
{
"trust": 1.7,
"url": "https://support.windriver.com/olsportal/faces/maintenance/downloaddetails.jspx?contentid=033708"
},
{
"trust": 0.9,
"url": "http://www.kb.cert.org/vuls/id/840249"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu840249"
},
{
"trust": 0.8,
"url": "http://www.kb.cert.org/vuls/id/mapg-863qh9"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2965"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2965"
},
{
"trust": 0.6,
"url": "http://www.kb.cert.org/vuls/id/362332http"
},
{
"trust": 0.3,
"url": "http://download.schneider-electric.com/files?p_doc_ref=sevd%202013-345-01"
},
{
"trust": 0.3,
"url": "http://www.windriver.com/"
},
{
"trust": 0.3,
"url": "/archive/1/512825"
},
{
"trust": 0.1,
"url": "http://www.rapid7.com/disclosure.jsp"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"db": "VULHUB",
"id": "VHN-45570"
},
{
"db": "BID",
"id": "42158"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001882"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"db": "PACKETSTORM",
"id": "92449"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-029"
},
{
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1"
},
{
"db": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1"
},
{
"db": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"db": "VULHUB",
"id": "VHN-45570"
},
{
"db": "BID",
"id": "42158"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001882"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"db": "PACKETSTORM",
"id": "92449"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-029"
},
{
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-08-03T00:00:00",
"db": "IVD",
"id": "bab59964-1fb2-11e6-abef-000c29c66e3d"
},
{
"date": "2010-08-03T00:00:00",
"db": "IVD",
"id": "7d72f2c0-463f-11e9-98f5-000c29342cb1"
},
{
"date": "2010-08-05T00:00:00",
"db": "IVD",
"id": "7d738f00-463f-11e9-ac13-000c29342cb1"
},
{
"date": "2010-08-05T00:00:00",
"db": "IVD",
"id": "017253fa-2356-11e6-abef-000c29c66e3d"
},
{
"date": "2010-08-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"date": "2010-08-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"date": "2010-08-05T00:00:00",
"db": "VULHUB",
"id": "VHN-45570"
},
{
"date": "2010-08-02T00:00:00",
"db": "BID",
"id": "42158"
},
{
"date": "2010-08-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001882"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"date": "2010-08-03T18:01:12",
"db": "PACKETSTORM",
"id": "92449"
},
{
"date": "2010-08-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201008-029"
},
{
"date": "2010-08-05T13:22:29.793000",
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-08-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-1489"
},
{
"date": "2010-08-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-3891"
},
{
"date": "2010-08-05T00:00:00",
"db": "VULHUB",
"id": "VHN-45570"
},
{
"date": "2015-03-19T08:47:00",
"db": "BID",
"id": "42158"
},
{
"date": "2010-08-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001882"
},
{
"date": "2012-12-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-005612"
},
{
"date": "2022-08-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201008-029"
},
{
"date": "2022-08-05T18:38:58.783000",
"db": "NVD",
"id": "CVE-2010-2965"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201008-029"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Wind River Systems VxWorks Authentication API (loginLib) Problems",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001882"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control issues",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201008-029"
}
],
"trust": 0.6
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.