search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Wind River Systems VxWorks debug service enabled by default

Vulnerability Note VU#362332

Original Release Date: 2010-08-02 | Last Revised: 2020-09-02

Overview

Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called.

Description

The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system.

It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications.

Consult the VxWorks Kernel Programmer's guide for more information on WDB.

Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog.

Impact

An attacker can use the debug service to fully compromise the device.

Solution

Disable debug agent

Vendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components from their VxWorks Image.

Restrict access

Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it.

Acknowledgements

Thanks to HD Moore for reporting a wider scope with additional research related to this vulnerability. Earlier public reports came from Bennett Todd and Shawn Merdinger.

This document was written by Jared Allar.

Vendor Information

362332
 

3com Inc. (Inactive) Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

ARRIS Affected

Notified:  2010-06-18 Updated: 2020-08-31

Statement Date:   January 20, 2011

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The following products have been reported to be affected: ARRIS C3™ Cable Modem Termination System Firmware Release <=4.4.4.13

Actelis Networks Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Alcatel-Lucent Enterprise Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Allied Telesis Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Alvarion (Inactive) Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Aperto Networks Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Apple Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Avaya Inc. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Broadcom Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Ceragon Networks Inc Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Cisco Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

References

D-Link Systems Inc. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Dell Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Dell EMC Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Digicom Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

DrayTek Corporation Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Enablence Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Enterasys Networks Affected

Notified:  2010-06-18 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Ericsson Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Fluke Networks Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Foundry Brocade Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Gilat Network Systems Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Guangzhou Gaoke Communications Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Huawei Affected

Updated: 2020-08-31

Statement Date:   June 18, 2010

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

IWATSU Voice Networks Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Keda Communications Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Knovative Inc Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Lenovo Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Lutron Electronics Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Maipu Communication Technology Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Mitel Networks Inc. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Motorola Inc. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Netgear Inc. Affected

Notified:  2010-06-18 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Nokia Affected

Notified:  2010-06-18 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Nortel Networks Inc. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Polycom Affected

Notified:  2010-06-14 Updated: 2020-08-31

Statement Date:   December 07, 2010

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The release notes for SoundPoint IP/SoundStation IP SIP software states that version 3.1.2 has closed the debug port. "47450: Port 17185 is open, presenting a security risk" http://downloads.polycom.com/voice/voip/relnotes/spip_ssip_v3_1_6_Legacy_release_notes.pdf

Proxim Inc. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Rad Vision Inc. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Ricoh Company Ltd. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Rockwell Automation Affected

Notified:  2010-06-15 Updated: 2020-08-31

Statement Date:   June 29, 2010

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

References

CERT Addendum

Rockwell Automation 1756-ENBT series A running firmware versions 3.2.6 and 3.6.1 are vulnerable. Please see Rockwell Automation Technote 69735 for more information.

SEIKO EPSON Corp. / Epson America Inc. Affected

Notified:  2010-06-18 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

SFR Affected

Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

newsoft reports that the SFR (formerly Neuf Cegetel and Neuf Telecom) Trio3C has the debug service enabled.

SMC Networks Inc. Affected

Notified:  2010-06-18 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Schneider Electric Affected

Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The Modicon M340 with firmware version 2.5 was reported to run VxWorks 6.4 and have the debug port enabled.

ShoreTel Inc. Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Siemens Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

Security Advisory Report - OBSO-1010-01 Enabled VxWorks debug service Creation Date: 2010-10-15 Last Update: 2010-10-15 Summary A security researcher has identified a large number of products based on the VxWorks platform provided by Wind River Systems with a debug service enabled by default at port 17185/udp. Vulnerability Details The debug service provides full access to the memory of an affected device and allows for memory to be written as well as functions to be called. Of the various products based on VxWorks, the following are not affected by this vulnerability: HiPath Wireless Convergence, RG 8700, optiPoint 410/420 SIP and HFA (V5). Affected Products HiPath 3000 (HG 1500 Gateway) HiPath 4000 (HG 35xx Gateway) optiPoint 410/420 HFA, versions before V5 optiPoint 600 office Recommended Actions In general, it is recommended not to attach the mentioned systems directly at the internet. Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp). The problem is solved in the following versions; an update to these or higher versions is highly recommended: HiPath 3000 V8: V8 R5.2.0 HiPath 4000 V4: V4 R4.1.12 HiPath 4000 V5: V5 R1.2.4 Please note: HiPath 3000 V7: You need to upgrade the HG 1500 gateway only. Please use V8 R5.2.0 for this. You may keep the system itself in V7. HiPath 3000 V6 and earlier have reached end of SW support; please consider an upgrade to V7 or V8 HiPath 4000 V3 and earlier have reached end of SW support; please consider an upgrade to V4 or higher. Some older, unsupported versions of optiPoint 410/420 HFA IP phones are also vulnerable. Please ensure, that V5 is installed on all phones. optiPoint 600 office has reached end of life since a few years already; an update is unfortunately not available References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2965 http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html http://www.kb.cert.org/vuls/id/362332 Revision History 2010-10-15 Initial release Contact and Disclaimer OpenScale Baseline Security Office obso@siemens-enterprise.com © Siemens Enterprise Communications GmbH & Co KG 2010 Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG The information provided in this document is subject to change without notice. Siemens Enterpise Communications GmbH & Co KG (SEN) assumes no responsibility for any errors that may appear in this document, and it does not affect your current support agreements with SEN. Any trademarks referenced in this document are the property of their respective owners. ---End Vendor Statement-------------------------------------------------------------------

CERT Addendum

The vendor provided the above advisory information for their affected products.

TRENDnet Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Tut Systems Affected

Notified:  2010-06-18 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Wind River Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

Wind River has analyzed VU#362332, and determined that all versions of VxWorks could be vulnerable if the WDB agent is left enabled in production systems and the system is network attached. VxWorks has a very strong track record of offering secure products and Wind River is committed to active threat monitoring, rapid assessment, threat prioritization, expedited remediation, response and proactive customer contact. Customers are encouraged to follow the remediation actions outlined in the SOLUTION section of the vulnerability post. Registered users can access Wind River's online support for more information by following this link: https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033708 Or contact Wind River technical support for more information: http://windriver.com/support/

CERT Addendum

Within the VxWorks Kernel programmers guide it states: “For production systems, you will want to reconfigure VxWorks with only those components needed for deployed operation, and to build it as the appropriate type of system image. You will likely want to remove components required for host development support, such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG), as well as to remove any other operating system components not required to support your application. Other considerations may include reducing the memory requirements of the system, speeding up boot time, and security issues.”

Xerox Affected

Notified:  2010-06-14 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

amx Affected

Notified:  2010-06-29 Updated: 2020-08-31

CVE-2010-2965 Affected

Vendor Statement

We have not received a statement from the vendor.

Canon Not Affected

Notified:  2010-06-18 Updated: 2020-08-31

CVE-2010-2965 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Brocade Communication Systems Unknown

Notified:  2010-08-03 Updated: 2020-08-31

CVE-2010-2965 Unknown

Vendor Statement

We have not received a statement from the vendor.

Intel Unknown

Notified:  2010-07-02 Updated: 2020-08-31

CVE-2010-2965 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 56 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.5 E:H/RL:W/RC:C
Environmental 9.5 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

Other Information

CVE IDs: CVE-2010-2965
Date Public: 2010-08-02
Date First Published: 2010-08-02
Date Last Updated: 2020-09-02 15:51 UTC
Document Revision: 87

Sponsored by CISA.