CVE-2019-12259:Wind River VxWorks IPNET IGMPv3 client contains an array index error that can cause a denial of service via NULL dereference during IGMP parsing in VxWorks 6.6–6.9 and vx7.

splash
Back

Description Preview

Wind River VxWorks releases 6.6, 6.7, 6.8, 6.9 and vx7 include an array index error in the IPNET IGMPv3 client component. This vulnerability can lead to a NULL pointer dereference while parsing IGMP messages, resulting in a Denial of Service condition on affected devices. The issue is tracked as CVE-2019-12259. Wind River and other vendors have published advisories referencing this CVE, outlining the affected IPNET/IGMP components and related mitigation steps.

Overview

This CVE describes an IPNET security vulnerability in the Wind River VxWorks IGMPv3 client where an array index error can cause a NULL dereference during IGMP parsing, potentially leading to a Denial of Service on affected systems. The vulnerable product family includes Wind River VxWorks versions 6.6 through 6.9 and the vx7 line. The vulnerability is identified as CVE-2019-12259, and multiple vendor advisories (including Wind River, Siemens, NetApp, SonicWall, and F5) reference this issue and its remediation context.

Remediation

  • Update to the fixed version or apply the patch provided by Wind River for IPNET/IGMPv3 on VxWorks (check Wind River advisories and the CVE page for the exact recommended builds).
  • If upgrading is not feasible, apply mitigations to limit exposure:
    • Restrict or disable IGMP processing on affected devices if IGMP is not required in your network design.
    • Implement network filtering to block or strictly control IGMP traffic from untrusted networks (e.g., at edge or perimeter devices).
    • Enforce strict ACLs/firewalls to drop malformed or unexpected IGMP packets.
    • Enable monitoring and alerting for abnormal IGMP activity to detect potential exploitation attempts.
  • Validate any changes in a testing environment before deployment and review vendor advisories for additional mitigations or prerequisites.
  • Coordinate with the affected device vendors (Wind River and any dependent vendors) to ensure alignment with official remediation guidance.

References

  • https://support2.windriver.com/index.php?page=security-notices
  • https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009
  • https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf
  • https://security.netapp.com/advisory/ntap-20190802-0001/
  • https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
  • https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12259
  • https://support.f5.com/csp/article/K41190253
  • https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf
  • https://cert-portal.siemens.com/productcert/pdf/ssa-352504.pdf

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  3. Public Administration: Low
    Public Administration
  4. Transportation & Warehousing: Low
    Transportation & Warehousing
  5. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  6. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  7. Educational Services: Low
    Educational Services
  8. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  9. Utilities: Low
    Utilities
  10. Accommodation & Food Services: Low
    Accommodation & Food Services
  11. Finance and Insurance: Low
    Finance and Insurance
  12. Information: Low
    Information
  13. Retail Trade: Low
    Retail Trade
  14. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  15. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  16. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  17. Construction: Low
    Construction
  18. Mining: Low
    Mining
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background