Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.

An attacker with the source and destination TCP-port and IP-addresses of a session can inject invalid TCP-segments into the flow, causing the TCP-session to be reset. 

An application will see this as an ECONNRESET error message when using the socket after such an attack. 

The most likely outcome is a crash of the application reading from the affected socket.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Wind River is the provider of a real time operating system called VxWorks which is used in the embedded software of the PM 877 Controller. Wind River has announced security vulnerabilities in the VxWorks TCP/IP stack (IPnet) and management of memory block size (Bad Alloc).
The controller PM 877 is affected by vulnerabilities in the TCP/IP stack but it is not affected by the vulnerabilities related to memory management (Bad Alloc). All the associated vulnerabilities which impacted the PM 877 have been corrected. An attacker who successfully exploits these vulnerabilities could hijack existing TCP sessions to inject malformed packets or steal authenticated user session identifiers, resulting in corruptions of data, unauthorized disclosure of information, denial of service and data communications outage or even code execution. The vulnerabilities do not target any ABB products specifically, but potentially affect products that use the operating system.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability:
DoS of TCP connection via malformed TCP options.  

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

The version of VxWorks installed on the remote host is 6.9.x, prior to 6.9.4.12, or 7 (SR540), or 7 (SR540), and is affected by multiple vulnerabilities :

 - A specially crafted IPv4 packet, containing invalid encoded SSRR/LSRR options, may cause call-stack overflow. No specific services beyond IPv4 protocol support is required. (CVE-2019-12256)
 - A specially crafted packet containing illegal TCP-options can result in the victim not just dropping the TCP-segment but also drop the TCP-session. (CVE-2019-12258)
 - This vulnerability require that the TCP/IP-stack is assigned a multicast address the API intended for assigning unicast addresses or something with the same logical flaw is a prerequisite. (CVE-2019-12259)
 - A series of specially crafted TCP-segments where the last step is a TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or 'recvmsg()' socket routines. (CVE-2019-12260)
 - A specially crafted response to the connection attempt, where also the FIN- and URG-flags are set is sent as a response. This may put the victim into an inconsistent state, which make it possible to send yet another segment that trigger a buffer overflow. (CVE-2019-12261)
 - The RARP reception handler verifies that the packet is well formed, but fails to verify that the node has an ongoing RARP-transaction matching the received packet. (CVE-2019-12262)
 - A series of segments with and without the URG-flag set must arrive with a very specific timing while an application on the victim is receiving from the session. The victim must be using a SMP-kernel and two or more CPU-cores alternatively an uni-processor kernel where the receiving task and the network task executes at different priorities. (CVE-2019-12263)
 - The VxWorks DHCP client fails to properly validate that the offered IP-address in a DHCP renewal or offer response contains a valid unicast address. An attacker may assign multicast or broadcast addresses to the victim. (CVE-2019-12264)
 - An attacker can create specially crafted and fragmented IGMPv3 query report, which may result in the victim transmitting undefined buffer content. (CVE-2019-12265)

According to its self-reported version, the remote Xerox WorkCentre is  affected by multiple remote code execution and denial-of-service vulnerabilities in the IPnet TCP/IP stack. An unauthenticated, remote, attacker could leverage these vulnerabilities to gain full access to the affected device or to cause the device to become unresponsive.

According to its self-reported version, the remote device is potentially affected by multiple Wind River VxWorks remote code execution and denial-of-service vulnerabilities in the IPnet TCP/IP stack. An unauthenticated, remote, attacker could leverage these vulnerabilities to gain full access to the affected device or to cause the device to become unresponsive.

Note that Nessus has not checked for the presence of the patch so this finding may be a false positive.

According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected by multiple vulnerabilities:

  - Stack overflow in the parsing of IPv4 packets IP options. (CVE-2019-12256)

  - TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255)

  - TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260)

  - TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261)

  - TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263)

  - Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)

  - TCP connection DoS via malformed TCP options (CVE-2019-12258)

  - Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)

  - Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)

  - DoS via NULL dereference in IGMP parsing (CVE-2019-12259)

  - IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
502267	Hirschmann HiOS Switches Argument Injection or Modification (CVE-2019-12258)	Tenable OT Security	Tenable.ot	high
501128	ABB Improper Neutralization of Argument Delimiters in a Command in Wind River VxWorks (CVE-2019-12258)	Tenable OT Security	Tenable.ot	high
500067	Siemens Improper Neutralization of Argument Delimiters in a Command in Wind River VxWorks (CVE-2019-12258)	Tenable OT Security	Tenable.ot	high
701083	VxWorks 6.9.x < 6.9.4.12 / 7 (SR540) / 7 (SR610) Multiple Vulnerabilities (URGENT/11)	Nessus Network Monitor	IoT	critical
127109	Xerox WorkCentre Multiple Vulnerabilities (XRX19-016) (URGENT/11)	Nessus	Misc.	critical
127108	Wind River VxWorks Multiple Vulnerabilities (URGENT/11)	Nessus	Misc.	critical
127107	SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11)	Nessus	Firewalls	critical

Detections

Analytics

CVE-2019-12258

high

Tenable Plugins

high

high

high

critical

critical

critical

critical