Wind River Systems VxWorks debug service enabled by default

2010-08-02T00:00:00
ID VU:362332
Type cert
Reporter CERT
Modified 2014-06-02T00:00:00

Description

Overview

Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called.

Description

The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system.

It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications.

Consult the VxWorks Kernel Programmer's guide for more information on WDB.

Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog.


Impact

An attacker can use the debug service to fully compromise the device.


Solution

Disable debug agent
Vendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components from their VxWorks Image.


Restrict access

Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
3com Inc| | 14 Jun 2010| 27 Jul 2010
Actelis Networks| | 29 Jun 2010| 27 Jul 2010
Alcatel-Lucent| | 14 Jun 2010| 27 Jul 2010
Allied Telesis| | 29 Jun 2010| 27 Jul 2010
Alvarion| | 29 Jun 2010| 27 Jul 2010
amx| | 29 Jun 2010| 27 Jul 2010
Aperto Networks| | 29 Jun 2010| 27 Jul 2010
Apple Inc.| | 14 Jun 2010| 27 Jul 2010
ARRIS| | 18 Jun 2010| 20 Jan 2011
Avaya, Inc.| | 14 Jun 2010| 27 Jul 2010
Broadcom| | 14 Jun 2010| 27 Jul 2010
Ceragon Networks Inc| | 29 Jun 2010| 27 Jul 2010
Cisco Systems, Inc.| | 14 Jun 2010| 23 Jun 2010
D-Link Systems, Inc.| | 14 Jun 2010| 27 Jul 2010
Dell Computer Corporation, Inc.| | 14 Jun 2010| 27 Jul 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal | 9.5 | E:H/RL:W/RC:C
Environmental | 9.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • <http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml>
  • <http://seclists.org/vuln-dev/2002/May/179>
  • <https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks-vulnerabilities>
  • <http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01_VxWorks_Vulnerabilities.pdf>
  • <http://blogs.windriver.com/chauhan/2010/08/vxworks-secure.html>
  • <https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033708>
  • <http://thesauceofutterpwnage.blogspot.com/2010/08/metasploit-vxworks-wdb-agent-attack.html>
  • <http://cwe.mitre.org/data/definitions/215.html>
  • <http://cwe.mitre.org/data/definitions/505.html>

Credit

Thanks to HD Moore for reporting a wider scope with additional research related to this vulnerability. Earlier public reports came from Bennett Todd and Shawn Merdinger.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2010-2965
  • Date Public: 02 Aug 2010
  • Date First Published: 02 Aug 2010
  • Date Last Updated: 02 Jun 2014
  • Severity Metric: 14.04
  • Document Revision: 84