Wind River IPnet Security Vulnerability Announcement – VxWorks Bootloaders

28 August 2019
27285572415_7ef1e13bca_k.jpg

On  July 29th 2019, Wind River publicly announced that a number of vulnerabilities had been identified in its TCP/IP stack IPnet. Those vulnerabilities – identified by Armis Labs - are named URGENT/11.

Wind River has made patches available for VxWorks 6.9.4.11 and VxWorks 7 SR0540; these vulnerabilities are also fixed in the recently released VxWorks 7 SR0620.

To obtain the patches from Wind River, customers should email PSIRT@windriver.com and indicate the VxWorks major version. They will then receive an email with instructions on how to download the patches.

Abaco’s SBCs – Bootloaders

For customers using SBCs under VxWorks 7, our boards ship with U-Boot (PowerPC) or UEFI (Intel) as bootloaders and are therefore not subject to these vulnerabilities, from a bootloader point of view.

For customers using VxWorks 6.x, Abaco products delivered with VxWorks bootloader versions between 6.5 and 6.9 inclusive may be affected by the vulnerabilities. The VxWorks version can be found on the debug port output during power on as follows:

Customers should refer to the information provided by Wind River to assess whether the product is affected based on the particular bootloader kernel version and use case scenario. Please refer to information provided by Wind River for mitigation options in the first instance.

If the mitigation options are not feasible/possible in the use case, then please contact your sales representative to discuss further options.

Abaco’s Networking Products

OpenWare products are not affected in any of their releases.

NETernity product that run the Fastpath management software may be affected depending on firmware version. Fastpath based products including: GBX24, GBX16, GBX16A, GBX410, VXS24, CPX24. Please contact your sales representatives for further information. 

 

References:

https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/ipnet-faq/

https://armis.com/urgent11/

https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf

https://www.us-cert.gov/ics/advisories/icsa-19-211-01

Francesco Fiaschi

Francesco is Abaco’s Software Product Manager. Having graduated from the University of Padova in Italy with a masters degree in electrical and electronics engineering, he has held a number of positions with a range of companies including Wind River, Intel, Infineon Technologies, Spirent Communications and Access Europe. He joined Abaco in July 2018.