ICSA-19-211-01 · Published 2019-08-08 · View on CISA ICS-CERT ↗

Wind River VxWorks (Update A)

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow remote code execution.

CVEs (11)

CVE-2019-12256 CVE-2019-12257 CVE-2019-12255 CVE-2019-12260 CVE-2019-12261 CVE-2019-12263 CVE-2019-12258 CVE-2019-12259 CVE-2019-12262 CVE-2019-12264 CVE-2019-12265

Remediations

Wind River has produced controls and patches to mitigate the reported vulnerabilities. To obtain patches, email [email protected] and indicate the VxWorks major version for which you need source patches.
For more detailed information on the vulnerabilities and the mitigating controls, please see the Wind River advisory
Additional vendors affected by the reported vulnerabilities have also released security advisories related to their affected products. Those advisories are as follows:
Rockwell Automation (login required)
Xerox
Dräger
Schneider Electric

Affected Vendors

Wind River

Affected Products (12)

Wind River · VxWorks 6.9.4.11

Wind River · VxWorks Vx7 SR540

Wind River · VxWorks Vx7 SR610

Wind River · VxWorks End-of-Life >=6.5

Wind River · Advanced Networking Technology (ANT) vers:all/*

Wind River · VxWorks bootrom network stack vers:all/*

Wind River · VxWorks 653 MCE_3.x

Wind River · VxWorks 7 SR620

Wind River · VxWorks >=5.3|<=6.4

Wind River · VxWorks Cert vers:all/*

Wind River · VxWorks 653 <=2.x

Wind River · VxWorks 653 >=MCE_3.x_Cert_Edition

Affected Sectors

Critical Manufacturing, Information Technology, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more