Fixing vxWorks FTP Vulernability?
fogled@mizzou
Posts: 549
I am being hassled by our security department to fix a vulnerability in the vxWorks software on several NI-700 controllers. Here's what the security team is telling me:
Observation: VxWorks Debug Service
Description: A system running VxWorks has the debug service exposed, allowing remote attackers to read and write arbitrary data to memory. This could lead to a complete system compromise via a number of attack vectors.
Recommendation for Improvement: Disable/remove the INCLUDE_WDB and INCLUDE_DEBUG components from the VxWorks image.
Unfortunately, I have not figured out how to disable the FTP service, without essentially bricking my own access to manage and update the controller. Does anyone else have any tips or ideas on this?
Thanks for any assistance,
Observation: VxWorks Debug Service
Description: A system running VxWorks has the debug service exposed, allowing remote attackers to read and write arbitrary data to memory. This could lead to a complete system compromise via a number of attack vectors.
Recommendation for Improvement: Disable/remove the INCLUDE_WDB and INCLUDE_DEBUG components from the VxWorks image.
Unfortunately, I have not figured out how to disable the FTP service, without essentially bricking my own access to manage and update the controller. Does anyone else have any tips or ideas on this?
Thanks for any assistance,
0
Comments
If this is indeed an issue in the current firmware version you'd need to contact AMX about a direct fix since this is an issue in the underlying OS image. It looks like the advised mitigation for vulnerable products is to block 17185/udp with a firewall.
Please keep us posted on what you find out, this is moderately worrisome...
From the product information history... http://www.amx.com/assets/AMX-PI2/amx-pi2.htm
*********************************************************************
NetLinx Firmware
08/11/10 v3.50.439
Prerequisites
None
Changes in this release
- Added support for device TCP/IP address hot-swap to support MVP-9000i
- Added support for expedited OFFLINE/ONLINE cycle to support MVP-9000i
- Closed VxWorks WDB security hole by removing the WDB agent from the VxWorks kernel. Under the previous firmware versions, the security hole was only exposed when the master had a static IP address.
(US-CERT VU#362332)
Yes, thanks for verifying this.