Fixing vxWorks FTP Vulernability?

fogled@mizzou
fogled@mizzou h4x354x0r
in AMX Technical Discussion
I am being hassled by our security department to fix a vulnerability in the vxWorks software on several NI-700 controllers. Here's what the security team is telling me:

Observation: VxWorks Debug Service
Description: A system running VxWorks has the debug service exposed, allowing remote attackers to read and write arbitrary data to memory. This could lead to a complete system compromise via a number of attack vectors.
Recommendation for Improvement: Disable/remove the INCLUDE_WDB and INCLUDE_DEBUG components from the VxWorks image.

Unfortunately, I have not figured out how to disable the FTP service, without essentially bricking my own access to manage and update the controller. Does anyone else have any tips or ideas on this?

Thanks for any assistance,
· Share on FacebookShare on Twitter

Comments

  • rfletcher
    rfletcher Junior Member
    Based on a quick google search my first question is, is your firmware up to date? If not, start with that because this vulnerability in vxWorks appears to date back to 2010 and at least one website had a list of vendors that included AMX and claims they were notified.

    If this is indeed an issue in the current firmware version you'd need to contact AMX about a direct fix since this is an issue in the underlying OS image. It looks like the advised mitigation for vulnerable products is to block 17185/udp with a firewall.

    Please keep us posted on what you find out, this is moderately worrisome...
    · Share on FacebookShare on Twitter
  • ericmedley
    ericmedley Senior Member - 3709 Posts
    I might certainly be wrong on this but I do think tht vulnerability was addressed back in 2011. Fortunately we won't be dealing with vxWorks with the new controllers.
    · Share on FacebookShare on Twitter
  • B_Clements
    B_Clements Senior Member
    I beleive this was fixed years ago.

    From the product information history... http://www.amx.com/assets/AMX-PI2/amx-pi2.htm

    *********************************************************************
    NetLinx Firmware
    08/11/10 v3.50.439
    Prerequisites
    None
    Changes in this release
    - Added support for device TCP/IP address hot-swap to support MVP-9000i
    - Added support for expedited OFFLINE/ONLINE cycle to support MVP-9000i
    - Closed VxWorks WDB security hole by removing the WDB agent from the VxWorks kernel. Under the previous firmware versions, the security hole was only exposed when the master had a static IP address.

    (US-CERT VU#362332)
    · Share on FacebookShare on Twitter
  • ericmedley
    ericmedley Senior Member - 3709 Posts
    B_Clements wrote: »
    From the product information history... http://www.amx.com/assets/AMX-PI2/amx-pi2.htm

    *********************************************************************
    NetLinx Firmware
    08/11/10 v3.50.439
    Prerequisites
    None
    Changes in this release
    - Added support for device TCP/IP address hot-swap to support MVP-9000i
    - Added support for expedited OFFLINE/ONLINE cycle to support MVP-9000i
    - Closed VxWorks WDB security hole by removing the WDB agent from the VxWorks kernel. Under the previous firmware versions, the security hole was only exposed when the master had a static IP address.

    (US-CERT VU#362332)

    Yes, thanks for verifying this.
    · Share on FacebookShare on Twitter

Categories