CVE-2019-12258

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name	Vendor	Start Version	End Version
Vxworks	Windriver	6.5 (including)	6.9.4.12 (excluding)
Vxworks	Windriver	7.0 (including)	7.0 (including)

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

https://cwe.mitre.org/data/definitions/196.html
https://cwe.mitre.org/data/definitions/21.html
https://cwe.mitre.org/data/definitions/31.html
https://cwe.mitre.org/data/definitions/39.html
https://cwe.mitre.org/data/definitions/59.html
https://cwe.mitre.org/data/definitions/60.html
https://cwe.mitre.org/data/definitions/61.html

References

https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-352504.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009
https://security.netapp.com/advisory/ntap-20190802-0001/
https://support.f5.com/csp/article/K41190253
https://support2.windriver.com/index.php?page=cve\u0026on=view\u0026id=CVE-2019-12258
https://support2.windriver.com/index.php?page=security-notices
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-12258
CWE	https://cwe.mitre.org/data/definitions/384.html

Session Fixation

Weakness

Affected Software

Extended Description

Potential Mitigations

Related Attack Patterns

References