Wind River IPnet Security Vulnerability Announcement – VxWorks Bootloaders
On July 29th 2019, Wind River publicly announced that a number of vulnerabilities had been identified in its TCP/IP stack IPnet. Those vulnerabilities – identified by Armis Labs - are named URGENT/11.
Wind River has made patches available for VxWorks 18.104.22.168 and VxWorks 7 SR0540; these vulnerabilities are also fixed in the recently released VxWorks 7 SR0620.
To obtain the patches from Wind River, customers should email PSIRT@windriver.com and indicate the VxWorks major version. They will then receive an email with instructions on how to download the patches.
Abaco’s SBCs – Bootloaders
For customers using SBCs under VxWorks 7, our boards ship with U-Boot (PowerPC) or UEFI (Intel) as bootloaders and are therefore not subject to these vulnerabilities, from a bootloader point of view.
For customers using VxWorks 6.x, Abaco products delivered with VxWorks bootloader versions between 6.5 and 6.9 inclusive may be affected by the vulnerabilities. The VxWorks version can be found on the debug port output during power on as follows:
Customers should refer to the information provided by Wind River to assess whether the product is affected based on the particular bootloader kernel version and use case scenario. Please refer to information provided by Wind River for mitigation options in the first instance.
If the mitigation options are not feasible/possible in the use case, then please contact your sales representative to discuss further options.
Abaco’s Networking Products
OpenWare products are not affected in any of their releases.
NETernity product that run the Fastpath management software may be affected depending on firmware version. Fastpath based products including: GBX24, GBX16, GBX16A, GBX410, VXS24, CPX24. Please contact your sales representatives for further information.