ID

VAR-201008-0270

CVE

CVE-2010-2965

TITLE

Wind River Systems VxWorks debug service enabled by default

DESCRIPTION

The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804. Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called. The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system. It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications. Consult the VxWorks Kernel Programmer's guide for more information on WDB.Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog. An attacker can use the debug service to fully compromise the device. The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password. It is relatively easy to find a string that has the same hash value as a regular password.Authentication by attacker API (loginLib) May be used to access services using. The problem is CVE-2005-3804 May be related toBy a third party UDP An arbitrary memory area may be read or modified, a function call executed, or a task managed through a request to the port. VxWorks is an embedded real-time operating system. VxWorks has multiple security vulnerabilities that allow an attacker to bypass security restrictions and gain unauthorized access to the system. For example, when logging in with the default 'target/password', 'y{{{{{SS' will HASH out the same result as 'password'. So you can use 'password' and 'y{{{{{SS' as the password to log in. Permissions and access control vulnerabilities exist in the WDB Target Agent Debugging Service in Wind River VxWorks 6.x, 5.x and earlier. VxWorks is prone to a remote security-bypass vulnerability. Successful exploits will allow remote attackers to perform debugging tasks on the vulnerable device. The issue affects multiple products from multiple vendors that ship with the VxWorks operating system. NOTE: This issue was previously covered in BID 42114 (VxWorks Multiple Security Vulnerabilities) but has been separated into its own record to better document it. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: VxWorks loginLib Default Password Hashing Algorithm Security Issue SECUNIA ADVISORY ID: SA40803 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40803/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40803 RELEASE DATE: 2010-08-03 DISCUSS ADVISORY: http://secunia.com/advisories/40803/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40803/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40803 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in VxWorks, which can be exploited by malicious people to conduct brute force attacks. collision attacks. Successful exploitation requires that a valid login name is known. SOLUTION: The vendor has issued patches removing the 80 characters limitation for encrypted password string length limitation for VxWorks versions 5.5.1 through 6.4. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: HD Moore ORIGINAL ADVISORY: HD Moore: http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html Wind River: http://www.kb.cert.org/vuls/id/MAPG-863QH9 https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033709 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

permissions and access control issues

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Thanks to HD Moore for reporting a wider scope with additional research related to this vulnerability. Earlier public reports came from Bennett Todd and Shawn Merdinger. This document was written by Jared Allar.

SOURCES

LAST UPDATE DATE

2025-02-22T20:45:10.328000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE