ID WDB_AGENT_DETECT.NASL Type nessus Reporter Tenable Modified 2018-08-06T00:00:00
Description
A VxWorks WDB Debug Agent is running on this host.
Using this service, it is possible to read or write any memory zone or
execute arbitrary code on the host. An attacker can use this flaw to
take complete control of the affected device.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(48264);
script_version("1.14");
script_cvs_date("Date: 2018/08/06 14:03:15");
script_cve_id("CVE-2010-2965");
script_bugtraq_id(42158);
script_xref(name:"CERT", value:"362332");
script_xref(name:"ICSA", value:"10-214-01");
script_name(english:"VxWorks WDB Debug Service Detection");
script_summary(english:"Sends a CONNECT request to VxWorks debug agent");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary commands can be run on this port." );
script_set_attribute(attribute:"description", value:
"A VxWorks WDB Debug Agent is running on this host.
Using this service, it is possible to read or write any memory zone or
execute arbitrary code on the host. An attacker can use this flaw to
take complete control of the affected device." );
script_set_attribute(attribute:"solution", value:
"Disable the debug agent or contact the device's vendor for a patch." );
script_set_attribute(attribute:"vuln_publication_date", value: "2010/08/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/08/06");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
script_family(english:"RPC");
script_dependencies("rpcinfo.nasl");
exit (0);
}
include("global_settings.inc");
include("misc_func.inc");
include("sunrpc_func.inc");
include("network_func.inc");
set_byte_order(BYTE_ORDER_BIG_ENDIAN);
wdbport = 0x4321; # dec = 17185
wdbprog = 0x55555555; # dec = 1431655765
wdbvers = 1;
global_var seq_nb, host_id;
seq_nb = 0;
host_id = rand() % 65534 + 1;
function wdb_packet(proc, data)
{
local_var pkt, len, i, xid, sum, seqh;
len = strlen(data) + 11 * 4; # Do not count XID
sum = 0;
# The protocol is a slightly modified version of Sun RPC
xid = rand();
seq_nb ++;
seqh = (host_id << 16) | seq_nb;
pkt = strcat(
mkdword(xid) + # 0: XID
mkdword(0) + # 1: Call
mkdword(2) + # 2: RPC version = 2
mkdword(wdbprog) + # 3: program
mkdword(wdbvers) + # 4: program version
mkdword(proc) + # 5: Procedure
# Credentials
mkdword(0) + # 6
mkdword(0) + # 7
# Verifier
mkdword(0) + # 8
mkdword(0) + # 9
#
mkdword(0) + # 10: Checksum
mkdword(len) + # 11
mkdword(seqh) + # 12
data ); # 13
sum = ip_checksum(data: pkt);
# Replace checksum
return substr(pkt, 0, 39) + mkdword(sum) + substr(pkt, 44);
}
#if (!get_udp_port_state(wdbport)) exit(0, "UDP port "+wdbport+" is closed.");
if (known_service(port:wdbport, ipproto:"udp")) exit(0, "The service listening on UDP port "+wdbport+" is already known.");
soc = open_sock_udp(wdbport);
if (!soc) exit(1, "Cannot create UDP socket to "+wdbport+".");
# 0: Ping
# 1: Connect
blob = wdb_packet(proc: 1, data: "");
r = rpc_sendrecv (socket: soc, packet: blob, udp: 1);
close(soc);
if (isnull(r))
exit(1, "RPC error from port "+wdbport+" : rep=" + __rpc_reply_stat + " acc="+ __rpc_accept_stat);
e = '';
# Skip WDB wrapper and parse the remaining data with XDR
# Verifying this header is useless: I get a zero-ed zone from the agent!
register_stream(s: substr(r, 12));
av = xdr_getstring();
mtu = xdr_getdword();
mode = xdr_getdword();;
e = strcat(e, '\nAgent version : ', av, '\nMTU : ', mtu, '\nAgent mode : ', mode);
rtt = xdr_getdword();
rtv = xdr_getstring();
e = strcat(e, '\nRun time type : ', rtt);
if (rtt == 0) e += ' (standalone WDB agent)';
else if (rtt == 1) e+= ' (WDB agent in VxWorks)';
e = strcat(e, '\nRun time version : ', rtv);
set_kb_item(name: "Host/VxWorks/RunTimeVersion", value: rtv);
x = xdr_getdword();
e = strcat(e , '\nCPU type : ', x);
x = xdr_getdword();
if (x) e += '\nFP coprocessor is installed.'; else e += '\nNo FP coprocessor.';
x = xdr_getdword();
if (x) e += '\nTarget can write protect memory.'; else e += '\nTarget cannot write protect memory.';
x = xdr_getdword();
e = strcat(e , '\nPage size : ', x);
x = xdr_getdword();
e = strcat(e , '\nEndianness : ', x);
bn = xdr_getstring();
bp = xdr_getstring();
if (bn) e = strcat(e, '\nBoard support package name : ', bn);
if (bp) e = strcat(e, '\nBoot file path : ', bp);
x = xdr_getdword();
e = strcat(e , '\nMemory base address : ', x);
x = xdr_getdword();
e = strcat(e , '\nMemory size : ', x);
e += '\n';
register_service(port:wdbport, ipproto:"udp", proto:"vxworks_wdb");
if (report_verbosity == 0)
security_hole(port: wdbport, proto: "udp");
else
security_hole(port: wdbport, proto: "udp", extra: e);
if (COMMAND_LINE) display(e);
{"id": "WDB_AGENT_DETECT.NASL", "bulletinFamily": "scanner", "title": "VxWorks WDB Debug Service Detection", "description": "A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or\nexecute arbitrary code on the host. An attacker can use this flaw to\ntake complete control of the affected device.", "published": "2010-08-06T00:00:00", "modified": "2018-08-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=48264", "reporter": "Tenable", "references": [], "cvelist": ["CVE-2010-2965"], "type": "nessus", "lastseen": "2019-01-16T20:10:56", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2010-2965"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or execute arbitrary code on the host. An attacker can use this flaw to take complete control of the affected device.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "8ba9ef8ae76062967b7adac86d21d439d8d03f225c795c2837b1461e34afa22b", "hashmap": [{"hash": "0c46e85ce359bbdc05cc4581fa1fafc3", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6defe438c8cba7575d04f8a4e24467ad", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "06d31ea75ce174bd6e8a2331e24a21c2", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "b6a3b1d9422e4c02452f83a40ebf6c91", "key": "published"}, {"hash": "e11a3aa5a5d08443e5532d304e851f39", "key": "pluginID"}, {"hash": "317349da8fe39e91b35746d952f8efa0", "key": "title"}, {"hash": "228a13c56ac05ff215b6e5e56b4c02b5", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f5b30e430a14c6a65ec6f3dc2a1607a", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "3d2facde3f3c67f96536f2c01fe58bbb", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=48264", "id": "WDB_AGENT_DETECT.NASL", "lastseen": "2018-08-10T17:15:11", "modified": "2018-08-06T00:00:00", "naslFamily": "RPC", "objectVersion": "1.3", "pluginID": "48264", "published": "2010-08-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48264);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/08/06 14:03:15\");\n\n script_cve_id(\"CVE-2010-2965\");\n script_bugtraq_id(42158);\n script_xref(name:\"CERT\", value:\"362332\");\n script_xref(name:\"ICSA\", value:\"10-214-01\");\n\n script_name(english:\"VxWorks WDB Debug Service Detection\");\n script_summary(english:\"Sends a CONNECT request to VxWorks debug agent\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary commands can be run on this port.\" );\n script_set_attribute(attribute:\"description\", value:\n\"A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or\nexecute arbitrary code on the host. An attacker can use this flaw to\ntake complete control of the affected device.\" );\n script_set_attribute(attribute:\"solution\", value: \n\"Disable the debug agent or contact the device's vendor for a patch.\" );\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2010/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/06\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"RPC\");\n script_dependencies(\"rpcinfo.nasl\");\n exit (0);\n\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"sunrpc_func.inc\");\ninclude(\"network_func.inc\");\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\nwdbport = 0x4321;\t# dec = 17185\nwdbprog = 0x55555555;\t# dec = 1431655765\nwdbvers = 1;\n\nglobal_var\tseq_nb, host_id;\nseq_nb = 0;\nhost_id = rand() % 65534 + 1;\n\nfunction wdb_packet(proc, data)\n{\n local_var\tpkt, len, i, xid, sum, seqh;\n\n len = strlen(data) + 11 * 4;\t# Do not count XID\n sum = 0;\n\n # The protocol is a slightly modified version of Sun RPC\n xid = rand();\n seq_nb ++;\n seqh = (host_id << 16) | seq_nb;\n\n pkt = strcat(\n mkdword(xid)\t+ # 0: XID\n mkdword(0)\t\t+ # 1: Call\n mkdword(2)\t\t+ # 2: RPC version = 2\n mkdword(wdbprog)\t+ # 3: program\n mkdword(wdbvers)\t+ # 4: program version\n mkdword(proc)\t+ # 5: Procedure\n # Credentials\n mkdword(0)\t\t+ # 6\n mkdword(0)\t\t+ # 7\n # Verifier \n mkdword(0)\t\t+ # 8\n mkdword(0)\t\t+ # 9\n #\n mkdword(0)\t\t+ # 10: Checksum\n mkdword(len)\t+ # 11\n mkdword(seqh)\t+ # 12\n data );\t\t # 13\n\n sum = ip_checksum(data: pkt);\n # Replace checksum\n return substr(pkt, 0, 39) + mkdword(sum) + substr(pkt, 44);\n}\n\n\n#if (!get_udp_port_state(wdbport)) exit(0, \"UDP port \"+wdbport+\" is closed.\");\nif (known_service(port:wdbport, ipproto:\"udp\")) exit(0, \"The service listening on UDP port \"+wdbport+\" is already known.\");\n\nsoc = open_sock_udp(wdbport);\nif (!soc) exit(1, \"Cannot create UDP socket to \"+wdbport+\".\");\n\n# 0: Ping\n# 1: Connect\n\nblob = wdb_packet(proc: 1, data: \"\");\n\nr = rpc_sendrecv (socket: soc, packet: blob, udp: 1);\nclose(soc);\n\nif (isnull(r))\n exit(1, \"RPC error from port \"+wdbport+\" : rep=\" + __rpc_reply_stat + \" acc=\"+ __rpc_accept_stat);\n\ne = '';\n\n# Skip WDB wrapper and parse the remaining data with XDR\n# Verifying this header is useless: I get a zero-ed zone from the agent!\n\nregister_stream(s: substr(r, 12));\n\nav = xdr_getstring();\nmtu = xdr_getdword();\nmode = xdr_getdword();;\ne = strcat(e, '\\nAgent version : ', av, '\\nMTU : ', mtu, '\\nAgent mode : ', mode);\n\nrtt = xdr_getdword();\nrtv = xdr_getstring();\ne = strcat(e, '\\nRun time type : ', rtt);\nif (rtt == 0) e += ' (standalone WDB agent)';\nelse if (rtt == 1) e+= ' (WDB agent in VxWorks)';\ne = strcat(e, '\\nRun time version : ', rtv);\n\nset_kb_item(name: \"Host/VxWorks/RunTimeVersion\", value: rtv);\n\nx = xdr_getdword();\ne = strcat(e , '\\nCPU type : ', x);\nx = xdr_getdword();\nif (x) e += '\\nFP coprocessor is installed.'; else e += '\\nNo FP coprocessor.';\nx = xdr_getdword();\nif (x) e += '\\nTarget can write protect memory.'; else e += '\\nTarget cannot write protect memory.';\nx = xdr_getdword();\ne = strcat(e , '\\nPage size : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nEndianness : ', x);\n\nbn = xdr_getstring();\nbp = xdr_getstring();\nif (bn) e = strcat(e, '\\nBoard support package name : ', bn);\nif (bp) e = strcat(e, '\\nBoot file path : ', bp);\n\nx = xdr_getdword();\ne = strcat(e , '\\nMemory base address : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nMemory size : ', x);\n\ne += '\\n';\n\nregister_service(port:wdbport, ipproto:\"udp\", proto:\"vxworks_wdb\");\n\nif (report_verbosity == 0)\n security_hole(port: wdbport, proto: \"udp\");\nelse\n security_hole(port: wdbport, proto: \"udp\", extra: e);\n\nif (COMMAND_LINE) display(e);\n", "title": "VxWorks WDB Debug Service Detection", "type": "nessus", "viewCount": 218}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-10T17:15:11"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2010-2965"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or execute arbitrary code on the host. An attacker can use this flaw to take complete control of the affected device.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "5379563b09e827fd3a1cabcc461176ccc7b602eff952444c37244633eb662bbf", "hashmap": [{"hash": "0c46e85ce359bbdc05cc4581fa1fafc3", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6defe438c8cba7575d04f8a4e24467ad", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "06d31ea75ce174bd6e8a2331e24a21c2", "key": "modified"}, {"hash": "b6a3b1d9422e4c02452f83a40ebf6c91", "key": "published"}, {"hash": "e11a3aa5a5d08443e5532d304e851f39", "key": "pluginID"}, {"hash": "317349da8fe39e91b35746d952f8efa0", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "228a13c56ac05ff215b6e5e56b4c02b5", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f5b30e430a14c6a65ec6f3dc2a1607a", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "3d2facde3f3c67f96536f2c01fe58bbb", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=48264", "id": "WDB_AGENT_DETECT.NASL", "lastseen": "2018-08-30T19:45:07", "modified": "2018-08-06T00:00:00", "naslFamily": "RPC", "objectVersion": "1.3", "pluginID": "48264", "published": "2010-08-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48264);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/08/06 14:03:15\");\n\n script_cve_id(\"CVE-2010-2965\");\n script_bugtraq_id(42158);\n script_xref(name:\"CERT\", value:\"362332\");\n script_xref(name:\"ICSA\", value:\"10-214-01\");\n\n script_name(english:\"VxWorks WDB Debug Service Detection\");\n script_summary(english:\"Sends a CONNECT request to VxWorks debug agent\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary commands can be run on this port.\" );\n script_set_attribute(attribute:\"description\", value:\n\"A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or\nexecute arbitrary code on the host. An attacker can use this flaw to\ntake complete control of the affected device.\" );\n script_set_attribute(attribute:\"solution\", value: \n\"Disable the debug agent or contact the device's vendor for a patch.\" );\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2010/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/06\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"RPC\");\n script_dependencies(\"rpcinfo.nasl\");\n exit (0);\n\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"sunrpc_func.inc\");\ninclude(\"network_func.inc\");\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\nwdbport = 0x4321;\t# dec = 17185\nwdbprog = 0x55555555;\t# dec = 1431655765\nwdbvers = 1;\n\nglobal_var\tseq_nb, host_id;\nseq_nb = 0;\nhost_id = rand() % 65534 + 1;\n\nfunction wdb_packet(proc, data)\n{\n local_var\tpkt, len, i, xid, sum, seqh;\n\n len = strlen(data) + 11 * 4;\t# Do not count XID\n sum = 0;\n\n # The protocol is a slightly modified version of Sun RPC\n xid = rand();\n seq_nb ++;\n seqh = (host_id << 16) | seq_nb;\n\n pkt = strcat(\n mkdword(xid)\t+ # 0: XID\n mkdword(0)\t\t+ # 1: Call\n mkdword(2)\t\t+ # 2: RPC version = 2\n mkdword(wdbprog)\t+ # 3: program\n mkdword(wdbvers)\t+ # 4: program version\n mkdword(proc)\t+ # 5: Procedure\n # Credentials\n mkdword(0)\t\t+ # 6\n mkdword(0)\t\t+ # 7\n # Verifier \n mkdword(0)\t\t+ # 8\n mkdword(0)\t\t+ # 9\n #\n mkdword(0)\t\t+ # 10: Checksum\n mkdword(len)\t+ # 11\n mkdword(seqh)\t+ # 12\n data );\t\t # 13\n\n sum = ip_checksum(data: pkt);\n # Replace checksum\n return substr(pkt, 0, 39) + mkdword(sum) + substr(pkt, 44);\n}\n\n\n#if (!get_udp_port_state(wdbport)) exit(0, \"UDP port \"+wdbport+\" is closed.\");\nif (known_service(port:wdbport, ipproto:\"udp\")) exit(0, \"The service listening on UDP port \"+wdbport+\" is already known.\");\n\nsoc = open_sock_udp(wdbport);\nif (!soc) exit(1, \"Cannot create UDP socket to \"+wdbport+\".\");\n\n# 0: Ping\n# 1: Connect\n\nblob = wdb_packet(proc: 1, data: \"\");\n\nr = rpc_sendrecv (socket: soc, packet: blob, udp: 1);\nclose(soc);\n\nif (isnull(r))\n exit(1, \"RPC error from port \"+wdbport+\" : rep=\" + __rpc_reply_stat + \" acc=\"+ __rpc_accept_stat);\n\ne = '';\n\n# Skip WDB wrapper and parse the remaining data with XDR\n# Verifying this header is useless: I get a zero-ed zone from the agent!\n\nregister_stream(s: substr(r, 12));\n\nav = xdr_getstring();\nmtu = xdr_getdword();\nmode = xdr_getdword();;\ne = strcat(e, '\\nAgent version : ', av, '\\nMTU : ', mtu, '\\nAgent mode : ', mode);\n\nrtt = xdr_getdword();\nrtv = xdr_getstring();\ne = strcat(e, '\\nRun time type : ', rtt);\nif (rtt == 0) e += ' (standalone WDB agent)';\nelse if (rtt == 1) e+= ' (WDB agent in VxWorks)';\ne = strcat(e, '\\nRun time version : ', rtv);\n\nset_kb_item(name: \"Host/VxWorks/RunTimeVersion\", value: rtv);\n\nx = xdr_getdword();\ne = strcat(e , '\\nCPU type : ', x);\nx = xdr_getdword();\nif (x) e += '\\nFP coprocessor is installed.'; else e += '\\nNo FP coprocessor.';\nx = xdr_getdword();\nif (x) e += '\\nTarget can write protect memory.'; else e += '\\nTarget cannot write protect memory.';\nx = xdr_getdword();\ne = strcat(e , '\\nPage size : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nEndianness : ', x);\n\nbn = xdr_getstring();\nbp = xdr_getstring();\nif (bn) e = strcat(e, '\\nBoard support package name : ', bn);\nif (bp) e = strcat(e, '\\nBoot file path : ', bp);\n\nx = xdr_getdword();\ne = strcat(e , '\\nMemory base address : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nMemory size : ', x);\n\ne += '\\n';\n\nregister_service(port:wdbport, ipproto:\"udp\", proto:\"vxworks_wdb\");\n\nif (report_verbosity == 0)\n security_hole(port: wdbport, proto: \"udp\");\nelse\n security_hole(port: wdbport, proto: \"udp\", extra: e);\n\nif (COMMAND_LINE) display(e);\n", "title": "VxWorks WDB Debug Service Detection", "type": "nessus", "viewCount": 218}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:45:07"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2010-2965"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or execute arbitrary code on the host. An attacker can use this flaw to take complete control of the affected device.", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "aaa3e73beb91c686000d7cbdb78868c3d4160d538e1b6c23544843fc43b81654", "hashmap": [{"hash": "0c46e85ce359bbdc05cc4581fa1fafc3", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6defe438c8cba7575d04f8a4e24467ad", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "b6a3b1d9422e4c02452f83a40ebf6c91", "key": "published"}, {"hash": "e11a3aa5a5d08443e5532d304e851f39", "key": "pluginID"}, {"hash": "317349da8fe39e91b35746d952f8efa0", "key": "title"}, {"hash": "228a13c56ac05ff215b6e5e56b4c02b5", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "81573fced906c6c685b5b8c396d52131", "key": "modified"}, {"hash": "f0b8e8e2536324c589ea9e1bb455ecdc", "key": "sourceData"}, {"hash": "3f5b30e430a14c6a65ec6f3dc2a1607a", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=48264", "id": "WDB_AGENT_DETECT.NASL", "lastseen": "2016-09-26T17:25:02", "modified": "2015-01-13T00:00:00", "naslFamily": "RPC", "objectVersion": "1.2", "pluginID": "48264", "published": "2010-08-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48264);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2015/01/13 15:34:51 $\");\n\n script_cve_id(\"CVE-2010-2965\");\n script_bugtraq_id(42158);\n script_osvdb_id(66842);\n script_xref(name:\"CERT\", value:\"362332\");\n script_xref(name:\"ICSA\", value:\"10-214-01\");\n\n script_name(english:\"VxWorks WDB Debug Service Detection\");\n script_summary(english:\"Sends a CONNECT request to VxWorks debug agent\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary commands can be run on this port.\" );\n script_set_attribute(attribute:\"description\", value:\n\"A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or\nexecute arbitrary code on the host. An attacker can use this flaw to\ntake complete control of the affected device.\" );\n script_set_attribute(attribute:\"solution\", value: \n\"Disable the debug agent or contact the device's vendor for a patch.\" );\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2010/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/06\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2015 Tenable Network Security, Inc.\");\n script_family(english:\"RPC\");\n script_dependencies(\"rpcinfo.nasl\");\n exit (0);\n\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"sunrpc_func.inc\");\ninclude(\"network_func.inc\");\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\nwdbport = 0x4321;\t# dec = 17185\nwdbprog = 0x55555555;\t# dec = 1431655765\nwdbvers = 1;\n\nglobal_var\tseq_nb, host_id;\nseq_nb = 0;\nhost_id = rand() % 65534 + 1;\n\nfunction wdb_packet(proc, data)\n{\n local_var\tpkt, len, i, xid, sum, seqh;\n\n len = strlen(data) + 11 * 4;\t# Do not count XID\n sum = 0;\n\n # The protocol is a slightly modified version of Sun RPC\n xid = rand();\n seq_nb ++;\n seqh = (host_id << 16) | seq_nb;\n\n pkt = strcat(\n mkdword(xid)\t+ # 0: XID\n mkdword(0)\t\t+ # 1: Call\n mkdword(2)\t\t+ # 2: RPC version = 2\n mkdword(wdbprog)\t+ # 3: program\n mkdword(wdbvers)\t+ # 4: program version\n mkdword(proc)\t+ # 5: Procedure\n # Credentials\n mkdword(0)\t\t+ # 6\n mkdword(0)\t\t+ # 7\n # Verifier \n mkdword(0)\t\t+ # 8\n mkdword(0)\t\t+ # 9\n #\n mkdword(0)\t\t+ # 10: Checksum\n mkdword(len)\t+ # 11\n mkdword(seqh)\t+ # 12\n data );\t\t # 13\n\n sum = ip_checksum(data: pkt);\n # Replace checksum\n return substr(pkt, 0, 39) + mkdword(sum) + substr(pkt, 44);\n}\n\n\n#if (!get_udp_port_state(wdbport)) exit(0, \"UDP port \"+wdbport+\" is closed.\");\nif (known_service(port:wdbport, ipproto:\"udp\")) exit(0, \"The service listening on UDP port \"+wdbport+\" is already known.\");\n\nsoc = open_sock_udp(wdbport);\nif (!soc) exit(1, \"Cannot create UDP socket to \"+wdbport+\".\");\n\n# 0: Ping\n# 1: Connect\n\nblob = wdb_packet(proc: 1, data: \"\");\n\nr = rpc_sendrecv (socket: soc, packet: blob, udp: 1);\nclose(soc);\n\nif (isnull(r))\n exit(1, \"RPC error from port \"+wdbport+\" : rep=\" + __rpc_reply_stat + \" acc=\"+ __rpc_accept_stat);\n\ne = '';\n\n# Skip WDB wrapper and parse the remaining data with XDR\n# Verifying this header is useless: I get a zero-ed zone from the agent!\n\nregister_stream(s: substr(r, 12));\n\nav = xdr_getstring();\nmtu = xdr_getdword();\nmode = xdr_getdword();;\ne = strcat(e, '\\nAgent version : ', av, '\\nMTU : ', mtu, '\\nAgent mode : ', mode);\n\nrtt = xdr_getdword();\nrtv = xdr_getstring();\ne = strcat(e, '\\nRun time type : ', rtt);\nif (rtt == 0) e += ' (standalone WDB agent)';\nelse if (rtt == 1) e+= ' (WDB agent in VxWorks)';\ne = strcat(e, '\\nRun time version : ', rtv);\n\nset_kb_item(name: \"Host/VxWorks/RunTimeVersion\", value: rtv);\n\nx = xdr_getdword();\ne = strcat(e , '\\nCPU type : ', x);\nx = xdr_getdword();\nif (x) e += '\\nFP coprocessor is installed.'; else e += '\\nNo FP coprocessor.';\nx = xdr_getdword();\nif (x) e += '\\nTarget can write protect memory.'; else e += '\\nTarget cannot write protect memory.';\nx = xdr_getdword();\ne = strcat(e , '\\nPage size : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nEndianness : ', x);\n\nbn = xdr_getstring();\nbp = xdr_getstring();\nif (bn) e = strcat(e, '\\nBoard support package name : ', bn);\nif (bp) e = strcat(e, '\\nBoot file path : ', bp);\n\nx = xdr_getdword();\ne = strcat(e , '\\nMemory base address : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nMemory size : ', x);\n\ne += '\\n';\n\nregister_service(port:wdbport, ipproto:\"udp\", proto:\"vxworks_wdb\");\n\nif (report_verbosity == 0)\n security_hole(port: wdbport, proto: \"udp\");\nelse\n security_hole(port: wdbport, proto: \"udp\", extra: e);\n\nif (COMMAND_LINE) display(e);\n", "title": "VxWorks WDB Debug Service Detection", "type": "nessus", "viewCount": 206}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:02"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2010-2965"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or execute arbitrary code on the host. An attacker can use this flaw to take complete control of the affected device.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "8ba9ef8ae76062967b7adac86d21d439d8d03f225c795c2837b1461e34afa22b", "hashmap": [{"hash": "0c46e85ce359bbdc05cc4581fa1fafc3", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6defe438c8cba7575d04f8a4e24467ad", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "06d31ea75ce174bd6e8a2331e24a21c2", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "b6a3b1d9422e4c02452f83a40ebf6c91", "key": "published"}, {"hash": "e11a3aa5a5d08443e5532d304e851f39", "key": "pluginID"}, {"hash": "317349da8fe39e91b35746d952f8efa0", "key": "title"}, {"hash": "228a13c56ac05ff215b6e5e56b4c02b5", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f5b30e430a14c6a65ec6f3dc2a1607a", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "3d2facde3f3c67f96536f2c01fe58bbb", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=48264", "id": "WDB_AGENT_DETECT.NASL", "lastseen": "2018-09-01T23:51:08", "modified": "2018-08-06T00:00:00", "naslFamily": "RPC", "objectVersion": "1.3", "pluginID": "48264", "published": "2010-08-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48264);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/08/06 14:03:15\");\n\n script_cve_id(\"CVE-2010-2965\");\n script_bugtraq_id(42158);\n script_xref(name:\"CERT\", value:\"362332\");\n script_xref(name:\"ICSA\", value:\"10-214-01\");\n\n script_name(english:\"VxWorks WDB Debug Service Detection\");\n script_summary(english:\"Sends a CONNECT request to VxWorks debug agent\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary commands can be run on this port.\" );\n script_set_attribute(attribute:\"description\", value:\n\"A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or\nexecute arbitrary code on the host. An attacker can use this flaw to\ntake complete control of the affected device.\" );\n script_set_attribute(attribute:\"solution\", value: \n\"Disable the debug agent or contact the device's vendor for a patch.\" );\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2010/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/06\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"RPC\");\n script_dependencies(\"rpcinfo.nasl\");\n exit (0);\n\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"sunrpc_func.inc\");\ninclude(\"network_func.inc\");\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\nwdbport = 0x4321;\t# dec = 17185\nwdbprog = 0x55555555;\t# dec = 1431655765\nwdbvers = 1;\n\nglobal_var\tseq_nb, host_id;\nseq_nb = 0;\nhost_id = rand() % 65534 + 1;\n\nfunction wdb_packet(proc, data)\n{\n local_var\tpkt, len, i, xid, sum, seqh;\n\n len = strlen(data) + 11 * 4;\t# Do not count XID\n sum = 0;\n\n # The protocol is a slightly modified version of Sun RPC\n xid = rand();\n seq_nb ++;\n seqh = (host_id << 16) | seq_nb;\n\n pkt = strcat(\n mkdword(xid)\t+ # 0: XID\n mkdword(0)\t\t+ # 1: Call\n mkdword(2)\t\t+ # 2: RPC version = 2\n mkdword(wdbprog)\t+ # 3: program\n mkdword(wdbvers)\t+ # 4: program version\n mkdword(proc)\t+ # 5: Procedure\n # Credentials\n mkdword(0)\t\t+ # 6\n mkdword(0)\t\t+ # 7\n # Verifier \n mkdword(0)\t\t+ # 8\n mkdword(0)\t\t+ # 9\n #\n mkdword(0)\t\t+ # 10: Checksum\n mkdword(len)\t+ # 11\n mkdword(seqh)\t+ # 12\n data );\t\t # 13\n\n sum = ip_checksum(data: pkt);\n # Replace checksum\n return substr(pkt, 0, 39) + mkdword(sum) + substr(pkt, 44);\n}\n\n\n#if (!get_udp_port_state(wdbport)) exit(0, \"UDP port \"+wdbport+\" is closed.\");\nif (known_service(port:wdbport, ipproto:\"udp\")) exit(0, \"The service listening on UDP port \"+wdbport+\" is already known.\");\n\nsoc = open_sock_udp(wdbport);\nif (!soc) exit(1, \"Cannot create UDP socket to \"+wdbport+\".\");\n\n# 0: Ping\n# 1: Connect\n\nblob = wdb_packet(proc: 1, data: \"\");\n\nr = rpc_sendrecv (socket: soc, packet: blob, udp: 1);\nclose(soc);\n\nif (isnull(r))\n exit(1, \"RPC error from port \"+wdbport+\" : rep=\" + __rpc_reply_stat + \" acc=\"+ __rpc_accept_stat);\n\ne = '';\n\n# Skip WDB wrapper and parse the remaining data with XDR\n# Verifying this header is useless: I get a zero-ed zone from the agent!\n\nregister_stream(s: substr(r, 12));\n\nav = xdr_getstring();\nmtu = xdr_getdword();\nmode = xdr_getdword();;\ne = strcat(e, '\\nAgent version : ', av, '\\nMTU : ', mtu, '\\nAgent mode : ', mode);\n\nrtt = xdr_getdword();\nrtv = xdr_getstring();\ne = strcat(e, '\\nRun time type : ', rtt);\nif (rtt == 0) e += ' (standalone WDB agent)';\nelse if (rtt == 1) e+= ' (WDB agent in VxWorks)';\ne = strcat(e, '\\nRun time version : ', rtv);\n\nset_kb_item(name: \"Host/VxWorks/RunTimeVersion\", value: rtv);\n\nx = xdr_getdword();\ne = strcat(e , '\\nCPU type : ', x);\nx = xdr_getdword();\nif (x) e += '\\nFP coprocessor is installed.'; else e += '\\nNo FP coprocessor.';\nx = xdr_getdword();\nif (x) e += '\\nTarget can write protect memory.'; else e += '\\nTarget cannot write protect memory.';\nx = xdr_getdword();\ne = strcat(e , '\\nPage size : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nEndianness : ', x);\n\nbn = xdr_getstring();\nbp = xdr_getstring();\nif (bn) e = strcat(e, '\\nBoard support package name : ', bn);\nif (bp) e = strcat(e, '\\nBoot file path : ', bp);\n\nx = xdr_getdword();\ne = strcat(e , '\\nMemory base address : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nMemory size : ', x);\n\ne += '\\n';\n\nregister_service(port:wdbport, ipproto:\"udp\", proto:\"vxworks_wdb\");\n\nif (report_verbosity == 0)\n security_hole(port: wdbport, proto: \"udp\");\nelse\n security_hole(port: wdbport, proto: \"udp\", extra: e);\n\nif (COMMAND_LINE) display(e);\n", "title": "VxWorks WDB Debug Service Detection", "type": "nessus", "viewCount": 307}, "differentElements": ["description"], "edition": 4, "lastseen": "2018-09-01T23:51:08"}], "edition": 5, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "0c46e85ce359bbdc05cc4581fa1fafc3"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "6cc438500ea78f06c3537913c2c44c4a"}, {"key": "href", "hash": "228a13c56ac05ff215b6e5e56b4c02b5"}, {"key": "modified", "hash": "06d31ea75ce174bd6e8a2331e24a21c2"}, {"key": "naslFamily", "hash": "6defe438c8cba7575d04f8a4e24467ad"}, {"key": "pluginID", "hash": "e11a3aa5a5d08443e5532d304e851f39"}, {"key": "published", "hash": "b6a3b1d9422e4c02452f83a40ebf6c91"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "3d2facde3f3c67f96536f2c01fe58bbb"}, {"key": "title", "hash": "317349da8fe39e91b35746d952f8efa0"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "9179b9ed0408c8d00ed6aababc6284a7b6e587785b0b23199fcaec9e2fc3d49e", "viewCount": 322, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-2965"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103367", "OPENVAS:1361412562310104007", "OPENVAS:103367"]}, {"type": "cert", "idList": ["VU:362332"]}], "modified": "2019-01-16T20:10:56"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48264);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/08/06 14:03:15\");\n\n script_cve_id(\"CVE-2010-2965\");\n script_bugtraq_id(42158);\n script_xref(name:\"CERT\", value:\"362332\");\n script_xref(name:\"ICSA\", value:\"10-214-01\");\n\n script_name(english:\"VxWorks WDB Debug Service Detection\");\n script_summary(english:\"Sends a CONNECT request to VxWorks debug agent\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary commands can be run on this port.\" );\n script_set_attribute(attribute:\"description\", value:\n\"A VxWorks WDB Debug Agent is running on this host. \n\nUsing this service, it is possible to read or write any memory zone or\nexecute arbitrary code on the host. An attacker can use this flaw to\ntake complete control of the affected device.\" );\n script_set_attribute(attribute:\"solution\", value: \n\"Disable the debug agent or contact the device's vendor for a patch.\" );\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2010/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/06\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"RPC\");\n script_dependencies(\"rpcinfo.nasl\");\n exit (0);\n\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"sunrpc_func.inc\");\ninclude(\"network_func.inc\");\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\nwdbport = 0x4321;\t# dec = 17185\nwdbprog = 0x55555555;\t# dec = 1431655765\nwdbvers = 1;\n\nglobal_var\tseq_nb, host_id;\nseq_nb = 0;\nhost_id = rand() % 65534 + 1;\n\nfunction wdb_packet(proc, data)\n{\n local_var\tpkt, len, i, xid, sum, seqh;\n\n len = strlen(data) + 11 * 4;\t# Do not count XID\n sum = 0;\n\n # The protocol is a slightly modified version of Sun RPC\n xid = rand();\n seq_nb ++;\n seqh = (host_id << 16) | seq_nb;\n\n pkt = strcat(\n mkdword(xid)\t+ # 0: XID\n mkdword(0)\t\t+ # 1: Call\n mkdword(2)\t\t+ # 2: RPC version = 2\n mkdword(wdbprog)\t+ # 3: program\n mkdword(wdbvers)\t+ # 4: program version\n mkdword(proc)\t+ # 5: Procedure\n # Credentials\n mkdword(0)\t\t+ # 6\n mkdword(0)\t\t+ # 7\n # Verifier \n mkdword(0)\t\t+ # 8\n mkdword(0)\t\t+ # 9\n #\n mkdword(0)\t\t+ # 10: Checksum\n mkdword(len)\t+ # 11\n mkdword(seqh)\t+ # 12\n data );\t\t # 13\n\n sum = ip_checksum(data: pkt);\n # Replace checksum\n return substr(pkt, 0, 39) + mkdword(sum) + substr(pkt, 44);\n}\n\n\n#if (!get_udp_port_state(wdbport)) exit(0, \"UDP port \"+wdbport+\" is closed.\");\nif (known_service(port:wdbport, ipproto:\"udp\")) exit(0, \"The service listening on UDP port \"+wdbport+\" is already known.\");\n\nsoc = open_sock_udp(wdbport);\nif (!soc) exit(1, \"Cannot create UDP socket to \"+wdbport+\".\");\n\n# 0: Ping\n# 1: Connect\n\nblob = wdb_packet(proc: 1, data: \"\");\n\nr = rpc_sendrecv (socket: soc, packet: blob, udp: 1);\nclose(soc);\n\nif (isnull(r))\n exit(1, \"RPC error from port \"+wdbport+\" : rep=\" + __rpc_reply_stat + \" acc=\"+ __rpc_accept_stat);\n\ne = '';\n\n# Skip WDB wrapper and parse the remaining data with XDR\n# Verifying this header is useless: I get a zero-ed zone from the agent!\n\nregister_stream(s: substr(r, 12));\n\nav = xdr_getstring();\nmtu = xdr_getdword();\nmode = xdr_getdword();;\ne = strcat(e, '\\nAgent version : ', av, '\\nMTU : ', mtu, '\\nAgent mode : ', mode);\n\nrtt = xdr_getdword();\nrtv = xdr_getstring();\ne = strcat(e, '\\nRun time type : ', rtt);\nif (rtt == 0) e += ' (standalone WDB agent)';\nelse if (rtt == 1) e+= ' (WDB agent in VxWorks)';\ne = strcat(e, '\\nRun time version : ', rtv);\n\nset_kb_item(name: \"Host/VxWorks/RunTimeVersion\", value: rtv);\n\nx = xdr_getdword();\ne = strcat(e , '\\nCPU type : ', x);\nx = xdr_getdword();\nif (x) e += '\\nFP coprocessor is installed.'; else e += '\\nNo FP coprocessor.';\nx = xdr_getdword();\nif (x) e += '\\nTarget can write protect memory.'; else e += '\\nTarget cannot write protect memory.';\nx = xdr_getdword();\ne = strcat(e , '\\nPage size : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nEndianness : ', x);\n\nbn = xdr_getstring();\nbp = xdr_getstring();\nif (bn) e = strcat(e, '\\nBoard support package name : ', bn);\nif (bp) e = strcat(e, '\\nBoot file path : ', bp);\n\nx = xdr_getdword();\ne = strcat(e , '\\nMemory base address : ', x);\nx = xdr_getdword();\ne = strcat(e , '\\nMemory size : ', x);\n\ne += '\\n';\n\nregister_service(port:wdbport, ipproto:\"udp\", proto:\"vxworks_wdb\");\n\nif (report_verbosity == 0)\n security_hole(port: wdbport, proto: \"udp\");\nelse\n security_hole(port: wdbport, proto: \"udp\", extra: e);\n\nif (COMMAND_LINE) display(e);\n", "naslFamily": "RPC", "pluginID": "48264", "cpe": []}
{"cve": [{"lastseen": "2016-09-03T14:12:56", "bulletinFamily": "NVD", "description": "The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804.", "modified": "2010-08-05T00:00:00", "published": "2010-08-05T09:22:29", "id": "CVE-2010-2965", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2965", "type": "cve", "title": "CVE-2010-2965", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:44:25", "bulletinFamily": "scanner", "description": "VxWorks is prone to a remote security-bypass vulnerability.\n\nSuccessful exploits will allow remote attackers to perform debugging\ntasks on the vulnerable device.\n\nThe issue affects multiple products from multiple vendors that ship\nwith the VxWorks operating system.", "modified": "2018-10-20T00:00:00", "published": "2011-12-14T00:00:00", "id": "OPENVAS:1361412562310103367", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103367", "title": "VxWorks Debugging Service Security-Bypass Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_xvworks_debugging_service_42158.nasl 11997 2018-10-20 11:59:41Z mmartin $\n#\n# VxWorks Debugging Service Security-Bypass Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/42158\");\n script_xref(name:\"URL\", value:\"http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html\");\n script_xref(name:\"URL\", value:\"http://www.windriver.com/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/512825\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/362332\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.103367\");\n script_bugtraq_id(42158);\n script_cve_id(\"CVE-2010-2965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 11997 $\");\n\n script_name(\"VxWorks Debugging Service Security-Bypass Vulnerability\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-20 13:59:41 +0200 (Sat, 20 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-14 16:57:31 +0100 (Wed, 14 Dec 2011)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"rpcinfo.nasl\");\n script_require_udp_ports(17185);\n script_tag(name:\"summary\", value:\"VxWorks is prone to a remote security-bypass vulnerability.\n\nSuccessful exploits will allow remote attackers to perform debugging\ntasks on the vulnerable device.\n\nThe issue affects multiple products from multiple vendors that ship\nwith the VxWorks operating system.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\nport = 17185;\nif( ! get_udp_port_state(port))exit(0);\n\nsoc = open_sock_udp(port);\nif( ! soc ) exit(0);\n\nfunction get_value(data, blob) {\n\n local_var value, tmp, i;\n\ntmp = substr(data,blob);\n\nfor (i=0; i < strlen(data); i++) {\n if (tmp[i] == '\\0') {\n return value;\n }\n else {\n value += tmp[i];\n }\n\n }\n\nreturn value;\n\n}\n\npacket = raw_string(0x50,0x26,0x30,0x91,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x55,0x55,0x55,0x55,\n 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2c,\n 0x8b,0x12,0x00,0x01);\n\nsend(socket:soc,data:packet);\nrecv = recv(socket:soc,length:4096);\n\nif(isnull(recv) || ord(recv[7]) != 1)exit(0);\n\nagent_vers = get_value(data:recv,blob:40);\nif(!isnull(agent_vers)) {\n report += string(\"Agent version: \", agent_vers, \"\\n\");\n}\n\nrtv = get_value(data:recv,blob:60);\nif(!isnull(rtv)) {\n report += string(\"Run time version: \", rtv, \"\\n\");\n}\n\nbname = get_value(data:recv,blob:88);\nif(!isnull(bname)) {\n report += string(\"Board name: \", bname, \"\\n\");\n}\n\nif(report) {\n report = string(\"It was possible to gather the following information from from the remote host:\\n\\n\") + report;\n security_message(port:port,data:report);\n} else {\n security_message(port:port);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-29T12:32:19", "bulletinFamily": "scanner", "description": "Detects vulnerabilities and gathers information (such as version numbers and hardware support) from\nVxWorks Wind DeBug agents.\n\nWind DeBug is a SunRPC-type service that is enabled by default on many devices that use the popular\nVxWorks real-time embedded operating system. H.D. Moore of Metasploit has identified several\nsecurity vulnerabilities and design flaws with the service, including weakly-hashed passwords and\nraw memory dumping.\n\nSYNTAX:\n\nnfs.version: number If set overrides the detected version of nfs\n\nmount.version: number If set overrides the detected version of mountd\n\nrpc.protocol: table If set overrides the preferred order in which\nprotocols are tested. (ie. ", "modified": "2018-10-26T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:1361412562310104007", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310104007", "title": "Nmap NSE net: wdb-version", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_wdb_version_net.nasl 12117 2018-10-26 10:50:36Z cfischer $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Daniel Miller\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.104007\");\n script_version(\"$Revision: 12117 $\");\n script_cve_id(\"CVE-2010-2965\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 12:50:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Nmap NSE net: wdb-version\");\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n script_dependencies(\"nmap_nse_net.nasl\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse_net\");\n\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/362332\");\n\n script_add_preference(name:\"nfs.version\", value:\"\", type:\"entry\");\n script_add_preference(name:\"mount.version\", value:\"\", type:\"entry\");\n script_add_preference(name:\"rpc.protocol\", value:\"\", type:\"entry\");\n\n script_tag(name:\"summary\", value:\"Detects vulnerabilities and gathers information (such as version numbers and hardware support) from\nVxWorks Wind DeBug agents.\n\nWind DeBug is a SunRPC-type service that is enabled by default on many devices that use the popular\nVxWorks real-time embedded operating system. H.D. Moore of Metasploit has identified several\nsecurity vulnerabilities and design flaws with the service, including weakly-hashed passwords and\nraw memory dumping.\n\nSYNTAX:\n\nnfs.version: number If set overrides the detected version of nfs\n\nmount.version: number If set overrides the detected version of mountd\n\nrpc.protocol: table If set overrides the preferred order in which\nprotocols are tested. (ie. 'tcp', 'udp')\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"nmap.inc\");\n\n# The corresponding NSE script doesn't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\nphase = 0;\nif (defined_func(\"scan_phase\")) {\n phase = scan_phase();\n}\n\nif (phase == 1) {\n argv = make_array();\n\n pref = script_get_preference(\"nfs.version\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"nfs.version\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"mount.version\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"mount.version\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"rpc.protocol\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"rpc.protocol\"] = string('\"', pref, '\"');\n }\n nmap_nse_register(script:\"wdb-version\", args:argv);\n} else if (phase == 2) {\n res = nmap_nse_get_results(script:\"wdb-version\");\n foreach portspec (keys(res)) {\n output_banner = 'Result found by Nmap Security Scanner (wdb-version.nse) http://nmap.org:\\n\\n';\n if (portspec == \"0\") {\n security_message(data:output_banner + res[portspec], port:0);\n } else {\n v = split(portspec, sep:\"/\", keep:0);\n proto = v[0];\n port = v[1];\n security_message(data:output_banner + res[portspec], port:port, protocol:proto);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-02T11:04:18", "bulletinFamily": "scanner", "description": "VxWorks is prone to a remote security-bypass vulnerability.\n\nSuccessful exploits will allow remote attackers to perform debugging\ntasks on the vulnerable device.\n\nThe issue affects multiple products from multiple vendors that ship\nwith the VxWorks operating system.", "modified": "2017-12-22T00:00:00", "published": "2011-12-14T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=103367", "id": "OPENVAS:103367", "title": "VxWorks Debugging Service Security-Bypass Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_xvworks_debugging_service_42158.nasl 8236 2017-12-22 10:28:23Z cfischer $\n#\n# VxWorks Debugging Service Security-Bypass Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"VxWorks is prone to a remote security-bypass vulnerability.\n\nSuccessful exploits will allow remote attackers to perform debugging\ntasks on the vulnerable device.\n\nThe issue affects multiple products from multiple vendors that ship\nwith the VxWorks operating system.\";\n\nif (description)\n{\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/42158\");\n script_xref(name : \"URL\" , value : \"http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html\");\n script_xref(name : \"URL\" , value : \"http://www.windriver.com/\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/512825\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/362332\");\n script_id(103367);\n script_bugtraq_id(42158);\n script_cve_id(\"CVE-2010-2965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version (\"$Revision: 8236 $\");\n\n script_name(\"VxWorks Debugging Service Security-Bypass Vulnerability\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-22 11:28:23 +0100 (Fri, 22 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-14 16:57:31 +0100 (Wed, 14 Dec 2011)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"rpcinfo.nasl\");\n script_require_udp_ports(17185);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\nport = 17185;\nif( ! get_udp_port_state(port))exit(0);\n\nsoc = open_sock_udp(port);\nif( ! soc ) exit(0);\n\nfunction get_value(data, blob) {\n\n local_var value, tmp, i;\n\ntmp = substr(data,blob);\n\nfor (i=0; i < strlen(data); i++) {\n if (tmp[i] == '\\0') {\n return value;\n }\n else {\n value += tmp[i];\n }\n\n }\n\nreturn value;\n\n}\n\npaket = raw_string(0x50,0x26,0x30,0x91,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x55,0x55,0x55,0x55,\n 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2c,\n 0x8b,0x12,0x00,0x01);\n\nsend(socket:soc,data:paket);\nrecv = recv(socket:soc,length:4096);\n\nif(isnull(recv) || ord(recv[7]) != 1)exit(0);\n\nagent_vers = get_value(data:recv,blob:40);\nif(!isnull(agent_vers)) {\n report += string(\"Agent version: \", agent_vers, \"\\n\");\n}\n\nrtv = get_value(data:recv,blob:60);\nif(!isnull(rtv)) {\n report += string(\"Run time version: \", rtv, \"\\n\");\n}\n\nbname = get_value(data:recv,blob:88);\nif(!isnull(bname)) {\n report += string(\"Board name: \", bname, \"\\n\");\n}\n\nif(report) {\n report = string(\"It was possible to gather the following information from from the remote host:\\n\\n\") + report;\n security_message(port:port,data:report);\n} else {\n security_message(port:port);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2018-12-25T20:18:09", "bulletinFamily": "info", "description": "### Overview \n\nSome products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called.\n\n### Description \n\nThe VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system.\n\nIt is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications. \n \nConsult the VxWorks Kernel Programmer's guide for more information on WDB. \n \nAdditional information can be found in ICS-CERT advisory [ICSA-10-214-01](<http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01_VxWorks_Vulnerabilities.pdf>) and on the [Metasploit Blog](<https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks-vulnerabilities>). \n \n--- \n \n### Impact \n\nAn attacker can use the debug service to fully compromise the device. \n \n--- \n \n### Solution \n\n**Disable debug agent** \nVendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components from their VxWorks Image. \n \n--- \n \n**Restrict access**\n\nAppropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it. \n \n--- \n \n### Vendor Information\n\n362332\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ 3com Inc \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ ARRIS \n\nNotified: June 18, 2010 Updated: January 20, 2011 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe following products have been reported to be affected:\n\n * ARRIS C3\u2122 Cable Modem Termination System Firmware Release <=4.4.4.13\n\n### __ Actelis Networks \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Alcatel-Lucent \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Allied Telesis \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Alvarion \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Aperto Networks \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Apple Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Avaya, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Broadcom \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Ceragon Networks Inc \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Cisco Systems, Inc. \n\nNotified: June 14, 2010 Updated: June 23, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n<http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml>\n\n### __ D-Link Systems, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Dell Computer Corporation, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Digicom \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ DrayTek Corporation \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ EMC Corporation \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Enablence \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Enterasys Networks \n\nNotified: June 18, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Epson America, Inc. \n\nNotified: June 18, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Ericsson \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Fluke Networks \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Foundry Networks, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Gilat Network Systems \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Guangzhou Gaoke Communications \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Hewlett-Packard Company \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Huawei Technoligies \n\nNotified: June 18, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ IWATSU Voice Networks \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Keda Communications \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Knovative Inc \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Lenovo \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Lutron Electronics \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Maipu Communication Technology \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Mitel Networks, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Motorola, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Netgear, Inc. \n\nNotified: June 18, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Nokia \n\nNotified: June 18, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Nortel Networks, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ Polycom \n\nNotified: June 14, 2010 Updated: December 07, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe release notes for SoundPoint IP/SoundStation IP SIP software states that version 3.1.2 has closed the debug port.\n\n_\"47450: Port 17185 is open, presenting a security risk\"_ \n \n<http://downloads.polycom.com/voice/voip/relnotes/spip_ssip_v3_1_6_Legacy_release_notes.pdf>\n\n### __ Proxim, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Rad Vision, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Ricoh Company Ltd. \n\nNotified: June 14, 2010 Updated: August 06, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ Rockwell Automation \n\nNotified: June 15, 2010 Updated: July 30, 2010 \n\n**Statement Date: June 29, 2010**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nRockwell Automation 1756-ENBT series A running firmware versions 3.2.6 and 3.6.1 are vulnerable. Please see Rockwell Automation Technote [69735](<http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=69735>) for more information.\n\n### Vendor References\n\n<http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=69735>\n\n### __ SFR \n\nUpdated: September 01, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Addendum\n\nnewsoft [reports](<http://newsoft-tech.blogspot.com/2010/09/follow-up-on-vxworks-issue.html>) that the SFR (formerly Neuf Cegetel and Neuf Telecom) Trio3C has the debug service enabled.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23362332 Feedback>).\n\n### __ SMC Networks, Inc. \n\nNotified: June 18, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Schneider Electric \n\nUpdated: January 18, 2013 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Addendum\n\nThe Modicon M340 with firmware version 2.5 was reported to run VxWorks 6.4 and have the debug port enabled.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23362332 Feedback>).\n\n### __ Shoretel Communications, Inc. \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ Siemens \n\nNotified: June 14, 2010 Updated: April 29, 2011 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n**Security Advisory Report - OBSO-1010-01**\n\n**Enabled VxWorks debug service** \nCreation Date: 2010-10-15 \nLast Update: 2010-10-15 \n \n**Summary** \nA security researcher has identified a large number of products based on the VxWorks platform provided by Wind River Systems with a debug service enabled by default at port 17185/udp. \n \n**Vulnerability Details** \nThe debug service provides full access to the memory of an affected device and allows for memory to be written as well as functions to be called. Of the various products based on VxWorks, the following are not affected by this vulnerability: HiPath Wireless Convergence, RG 8700, optiPoint 410/420 SIP and HFA (V5). \n \n**Affected Products**\n\n * HiPath 3000 (HG 1500 Gateway)\n * HiPath 4000 (HG 35xx Gateway)\n * optiPoint 410/420 HFA, versions before V5\n * optiPoint 600 office\n \n**Recommended Actions** \nIn general, it is recommended not to attach the mentioned systems directly at the internet. Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp). \n \nThe problem is solved in the following versions; an update to these or higher versions is highly recommended:\n\n * HiPath 3000 V8: V8 R5.2.0\n * HiPath 4000 V4: V4 R4.1.12\n * HiPath 4000 V5: V5 R1.2.4\n \nPlease note: \n\n\n * HiPath 3000 V7: You need to upgrade the HG 1500 gateway only. Please use V8 R5.2.0 for this. You may keep the system itself in V7.\n * HiPath 3000 V6 and earlier have reached end of SW support; please consider an upgrade to V7 or V8\n * HiPath 4000 V3 and earlier have reached end of SW support; please consider an upgrade to V4 or higher.\n * Some older, unsupported versions of optiPoint 410/420 HFA IP phones are also vulnerable. Please ensure, that V5 is installed on all phones.\n * optiPoint 600 office has reached end of life since a few years already; an update is unfortunately not available\n \n**References** \n\n\n### Vendor Information\n\nThe vendor provided the above advisory information for their affected products.\n\n### __ TRENDnet \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Tut Systems, Inc. \n\nNotified: June 18, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ Wind River Systems, Inc. \n\nNotified: June 14, 2010 Updated: August 02, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nWind River has analyzed VU#362332, and determined that all versions of VxWorks could be vulnerable if the WDB agent is left enabled in production systems and the system is network attached. VxWorks has a very strong track record of offering secure products and Wind River is committed to active threat monitoring, rapid assessment, threat prioritization, expedited remediation, response and proactive customer contact. Customers are encouraged to follow the remediation actions outlined in the SOLUTION section of the vulnerability post.\n\nRegistered users can access Wind River's online support for more information by following this link: \n<https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033708> \n \nOr contact Wind River technical support for more information: \n<http://windriver.com/support/>\n\n### Vendor Information\n\nWithin the VxWorks Kernel programmers guide it states: \n_\ud840\uddcfor production systems, you will want to reconfigure VxWorks with only those components needed for deployed operation, and to build it as the appropriate type of system image. You will likely want to remove components required for host development support, such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG), as well as to remove any other operating system components not required to support your application. Other considerations may include reducing the memory requirements of the system, speeding up boot time, and security issues.\u201d_\n\n### __ Xerox \n\nNotified: June 14, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ amx \n\nNotified: June 29, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Canon \n\nNotified: June 18, 2010 Updated: August 17, 2010 \n\n### Status\n\n__ Not Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Brocade \n\nNotified: August 03, 2010 Updated: August 03, 2010 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Intel Corporation \n\nNotified: July 02, 2010 Updated: July 27, 2010 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:H/RL:W/RC:C \nEnvironmental | 9.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml>\n * <http://seclists.org/vuln-dev/2002/May/179>\n * <https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks-vulnerabilities>\n * <http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01_VxWorks_Vulnerabilities.pdf>\n * <http://blogs.windriver.com/chauhan/2010/08/vxworks-secure.html>\n * <https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033708>\n * <http://thesauceofutterpwnage.blogspot.com/2010/08/metasploit-vxworks-wdb-agent-attack.html>\n * <http://cwe.mitre.org/data/definitions/215.html>\n * <http://cwe.mitre.org/data/definitions/505.html>\n\n### Credit\n\nThanks to HD Moore for reporting a wider scope with additional research related to this vulnerability. Earlier public reports came from Bennett Todd and Shawn Merdinger. \n\nThis document was written by Jared Allar. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2010-2965](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2965>) \n---|--- \n**Severity Metric:****** | 14.04 \n**Date Public:** | 2010-08-02 \n**Date First Published:** | 2010-08-02 \n**Date Last Updated: ** | 2014-06-02 23:18 UTC \n**Document Revision: ** | 84 \n", "modified": "2014-06-02T23:18:00", "published": "2010-08-02T00:00:00", "id": "VU:362332", "href": "https://www.kb.cert.org/vuls/id/362332", "type": "cert", "title": "Wind River Systems VxWorks debug service enabled by default", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
