VDE-2020-002

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2020-02-25 09:07 - Updated: 2025-06-05 13:28
Summary
PHOENIX CONTACT: Advisory for multiple FL Switch GHS utilising VxWorks
Notes
Summary: CVS-2019-12255 Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow. The vulnerability affects a little-known feature of the TCP/IP protocol, sending out-of-band data, also known as urgent data. Although the feature is rarely used in the real world, its implementation, consisting of an 'Urgent Flag' and an 'Urgent Pointer', is present in the header of every TCP packet. Exploiting these vulnerabilities does therefore not depend on any specific configuration. If a VxWorks device communicates using the TCP protocol, it is vulnerable. It also does not matter which side initiates a TCP connection. An attacker can exploit the vulnerabilities if the VxWorks device is operated as a server that accepts TCP connections, if the VxWorks device connects to a malicious host operated by the attacker, or as a man-in-the-middle, manipulating a TCP connection between the VxWorks device and a legitimate host. CVE-2019-12258 This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.
Impact: CVS-2019-12255 An attacker can either highjack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-window. CVE-2019-12258 This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.
Remediation: Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated. It needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation. Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices
CVE-2019-12255

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.

9.8 (Critical)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Mitigation Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated. It needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation. Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices. https://www.phoenixcontact.com/assets/downloads_e…
CVE-2019-12258

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.

7.5 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-384 - Session Fixation
Mitigation Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated. It needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation. Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices. https://www.phoenixcontact.com/assets/downloads_e…
References
Acknowledgments
CERTVDE certvde.com
Wind River Systems, Inc. www.windriver.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "Wind River Systems, Inc.",
        "summary": "reporting",
        "urls": [
          "https://www.windriver.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "CVS-2019-12255\n\nWind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.\n\nThe vulnerability affects a little-known feature of the TCP/IP protocol, sending out-of-band data, also known as urgent data. Although the feature is rarely used in the real world, its implementation, consisting of an \u0027Urgent Flag\u0027 and an \u0027Urgent Pointer\u0027, is present in the header of every TCP packet. Exploiting these vulnerabilities does therefore not depend on any specific configuration. If a VxWorks device communicates using the TCP protocol, it is vulnerable. It also does not matter which side initiates a TCP connection. An attacker can exploit the vulnerabilities if the VxWorks device is operated as a server that accepts TCP connections, if the VxWorks device connects to a malicious host operated by the attacker, or as a man-in-the-middle, manipulating a TCP connection between the VxWorks device and a legitimate host.\n\nCVE-2019-12258\n\nThis vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "CVS-2019-12255\n\nAn attacker can either highjack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to.\n\nThe impact of the vulnerability is a buffer overflow of up to a full TCP receive-window.\n\nCVE-2019-12258\n\nThis vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated.\n\nIt needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation.\n\nPhoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "Phoenix Contact PSIRT",
        "url": "https://www.phoenixcontact.com/de-de/service-und-support/psirt"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Phoenix Contact",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-002: PHOENIX CONTACT: Advisory for multiple FL Switch GHS utilising VxWorks - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2020-002/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-002: PHOENIX CONTACT: Advisory for multiple FL Switch GHS utilising VxWorks - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-002.json"
      }
    ],
    "title": "PHOENIX CONTACT: Advisory for multiple FL Switch GHS utilising VxWorks",
    "tracking": {
      "aliases": [
        "VDE-2020-002"
      ],
      "current_release_date": "2025-06-05T13:28:12.000Z",
      "generator": {
        "date": "2020-02-25T09:07:00.000Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.12"
        }
      },
      "id": "VDE-2020-002",
      "initial_release_date": "2020-02-25T09:07:00.000Z",
      "revision_history": [
        {
          "date": "2020-02-25T09:07:00.000Z",
          "number": "1",
          "summary": "initial revision"
        },
        {
          "date": "2025-06-05T13:28:12.000Z",
          "number": "2",
          "summary": "Fix: added distribution, quotation mark"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "FL Switch GHS 12G/8",
                "product": {
                  "name": "FL Switch GHS 12G/8",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2989200"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "FL Switch GHS 12G/8-L3",
                "product": {
                  "name": "FL Switch GHS 12G/8-L3",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2700787"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "FL Switch GHS 4G/12",
                "product": {
                  "name": "FL Switch GHS 4G/12",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2700271"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "FL Switch GHS 4G/12-L3",
                "product": {
                  "name": "FL Switch GHS 4G/12-L3",
                  "product_id": "CSAFPID-11004",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2700786"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=3.3.0",
                "product": {
                  "name": "Firmware \u003c=3.3.0",
                  "product_id": "CSAFPID-21001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ],
        "summary": "Affected Products"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=3.3.0 installed on FL Switch GHS 12G/8",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=3.3.0 installed on FL Switch GHS 12G/8-L3",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=3.3.0 installed on FL Switch GHS 4G/12",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=3.3.0 installed on FL Switch GHS 4G/12-L3",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11004"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-12255",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated.\n\nIt needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation.\n\nPhoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices.",
          "group_ids": [
            "CSAFGID-0001"
          ],
          "url": "https://www.phoenixcontact.com/assets/downloads_ed/local_pc/web_dwl_technical_info/ah_en_industrial_security_107913_en_01.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2019-12255"
    },
    {
      "cve": "CVE-2019-12258",
      "cwe": {
        "id": "CWE-384",
        "name": "Session Fixation"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Users are strongly recommended to install a firewall between the FL Switch GHS device and other parts of the network where an attacker may reside. The firewall needs to be configured in a way that either TCP packets with urgent flag are dropped or that the corresponding TCP connection the packet belongs to is terminated.\n\nIt needs to be noticed that the urgent flag is a very rarely used feature. Thus, implementing the described firewall rule will most likely not harm usual network operation.\n\nPhoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices.",
          "group_ids": [
            "CSAFGID-0001"
          ],
          "url": "https://www.phoenixcontact.com/assets/downloads_ed/local_pc/web_dwl_technical_info/ah_en_industrial_security_107913_en_01.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2019-12258"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.