R7-0034: VxWorks WDB Agent Debug Service Exposure
August 2, 2010

-- Rapid7 Customer Protection:
Rapid7 NeXpose customers have access to a vulnerability check for this
flaw as of the latest update. More information about this check can be
found online at:

 http://www.rapid7.com/vulndb/lookup/vxworks-wdbrpc-exposed

-- Vulnerability Details:
This vulnerability allows remote attackers to read memory, write memory,
execute code, and ultimately take complete control of the affected
device. This issue affects over 100 different vendors and a multitude of
products, both shipping and end-of-life. A spreadsheet of identified
products affected by this flaw can be found at the URL below. This index
is not comprehensive and not all devices found are still supported.

 http://www.metasploit.com/data/confs/bsideslv2010/VxWorksDevices.xls

This flaw occurs due to an insecure setting in the configuration file of
the manufacturer's source code. This setting results in a system- debug
service being exposed on UDP port 17185. This service does not require
authentication to access. More information about this issue can be found
at the Metasploit blog:

 http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html

-- Vendor Response:
Wind River Systems has notified their customers of the issue and
indicated that the WDB agent should be disabled for production builds.
CERT has notified every vendor with an identified, shipping product
containing this vulnerability. Responses for each specific vendor can be
found in the CERT advisory:

 http://www.kb.cert.org/vuls/id/362332

-- Disclosure Timeline:
2010-06-02 - Vulnerability reported to CERT for vendor notification
2010-08-02 - Coordinated public release of advisory

-- Credit:
This vulnerability had been discovered in specific devices in multiple
instances, first by Bennett Todd in 2002 and then Shawn Merdinger in
2005. A comprehensive analysis of all affected devices was conducted by
HD Moore in 2010.

-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

 http://www.rapid7.com/disclosure.jsp