CVE-2019-12260

Description

Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 2 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer state confusion caused by a malformed TCP AO option.

References

Link	Tags
https://www.oracle.com/security-alerts/cpuoct2020.html	third party advisory
https://support2.windriver.com/index.php?page=security-notices	vendor advisory issue tracking
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009	third party advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf	third party advisory
https://security.netapp.com/advisory/ntap-20190802-0001/	third party advisory
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/	vendor advisory
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12260	vendor advisory
https://support.f5.com/csp/article/K41190253	third party advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf	third party advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-352504.pdf	third party advisory
https://www.oracle.com//security-alerts/cpujul2021.html	third party advisory

Frequently Asked Questions

What is the severity of CVE-2019-12260?: CVE-2019-12260 has been scored as a critical severity vulnerability.
How to fix CVE-2019-12260?: To fix CVE-2019-12260, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2019-12260 being actively exploited in the wild?: It is possible that CVE-2019-12260 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~26% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-120 – Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

References

Frequently Asked Questions