Interpeak IPnet TCP/IP Stack (Update D)

Risk Summary

Successful exploitation of these vulnerabilities could allow remote code execution.

CVEs (11)

Remediations

• Enea has no IPNet customers on support contract in the United States.
• Green Hills Software has proactively informed affected users and offers consulting services to implement mitigations.
• Microsoft states they have no history of support or integration work to include IPnet and have not released a version of ThreadX bundled with IPnet. Microsoft does caution that some hardware makers could have used ThreadX and a custom set IPnet in the hardware.
• TRON Forum reports they only publish the specification for ITRON RTOS. Various implementations are used by many users world-wide and are created by various implementors (some commercial, and some academic and some government) according the specification document. TRON Forum, the caretaker of the ITRON specification, has not endorsed the use of any particular TCP/IP stack including one from Interpeak. The choice of TCP/IP stack is up to the RTOS vendor and application developers, and thus each application user needs to check whether TCP/IP stack developed by Interpeak is used inside their application. TRON Forum will send out a preliminary warning to members by mailing list to notify implementors of the reported vulnerabilities.
• Wind River has produced controls and patches to mitigate the reported vulnerabilities. To obtain patches, email [email protected] and indicate the VxWorks major version for which you need source patches.
• For more detailed information on the vulnerabilities and the mitigating controls, please see the Wind River advisory.
• Additional vendors affected by the reported vulnerabilities have also released security advisories related to their affected products. Those advisories are as follows:

Affected Vendors

Affected Products (9)

Affected Sectors

Critical Manufacturing, Information Technology, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems