CVE-2019-12264:

Wind River VxWorks contains an Incorrect Access Control vulnerability in the IPv4 address assignment mechanism of the ipdhcpc DHCP client component, affecting VxWorks 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7.

Score
A numerical rating that indicates how dangerous this vulnerability is.

7.1High

Published Date:Aug 5, 2019
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.1
EPSS Percentile:22%

Exploitability

Score:2.8
Attack Vector:ADJACENT_NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:4.2
Confidentiality Impact:NONE
Integrity Impact:LOW
Availability Impact:HIGH

Description Preview

Overview

This vulnerability arises from an incorrect access control mechanism in the IPv4 address assignment process within the ipdhcpc DHCP client on Wind River VxWorks. Affected versions include 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7. The issue could allow an attacker to bypass or subvert the intended access restrictions during IPv4 DHCP configuration, which may impact network security and device configuration.

Remediation

Upgrade to a fixed version or apply the vendor-provided patch for Wind River VxWorks as specified in Wind River advisories for CVE-2019-12264.
If upgrading is not immediately feasible, disable or restrict the IPv4 DHCP client (ipdhcpc) usage where possible, or configure devices to use static IP addressing to mitigate risk.
Enforce network segregation and limit DHCP traffic to trusted segments to reduce exposure of affected devices.
Monitor vendor security advisories and CVE updates, and apply subsequent hotfixes or patches as they become available.
Validate the remediation by testing IPv4 DHCP behavior in a controlled environment after patching/upgrading.