CVE-2019-12257:

Overview

Remediation

• Apply the vendor fix: upgrade to a version or apply a patch that includes the IPNET DHCP stack vulnerability fix (as referenced in Wind River IPNET urgent11 and related advisories).
• If upgrading is not immediately possible:
• Disable DHCP client on devices where feasible and configure static IP addressing.
• Restrict DHCP traffic: segment networks and implement access controls to limit DHCP messages to trusted networks only.
• Place affected systems behind monitored borders with enhanced network security controls (firewalls, IDS/IPS) to detect abnormal DHCP traffic.
• Monitor for signs of exploitation attempts or abnormal DHCP Offer/ACK activity and review relevant logs.
• Validate patches in a test environment before rollout and verify that the DHCP parser code path has been updated.

References

• - Wind River support: security notices (MISC) https://support2.windriver.com/index.php?page=security-notices
• - SonicWall PSIRT advisory SNWLID-2019-0009 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009
• - Siemens SSA-632562 security bulletin https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf
• - NetApp advisory NTAP-20190802-0001 https://security.netapp.com/advisory/ntap-20190802-0001/
• - Wind River IPNET urgent11 security announcement https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
• - Wind River CVE view for CVE-2019-12257 https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12257
• - F5 article K41190253 https://support.f5.com/csp/article/K41190253
• - Siemens SSA-189842 security bulletin https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf