<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=112631&fmt=gif" />

LINUX SECURITY VULNERABILITY RESPONSE INFORMATION

Stack Clash: CVE-2017-1000364, CVE-2017-1000365, CVE-2017-1000366

Wind River® is committed to delivering secure, reliable products that keep your devices protected. As part of this commitment, our Security Response Team is constantly monitoring and assessing thousands of notifications from CERT-accepted authorities and agencies, Linux security communities such as oss-security, and our customers. Wind River prioritizes these notifications, responds, and proactively contacts customers for timely alerts, enabling them to secure their devices.

Affected Products

The latest reported Stack Clash vulnerability, tracked under the CVE entries CVE-2017-1000364, CVE-2017-1000365, and CVE-2017-1000366, has been addressed by the Security Response Team.

We have determined that some Wind River products are affected, including the following:

  • Wind River Linux
  • Wind River Intelligent Device Platform
  • Wind River Pulsar Linux

Customers not on the latest version of software may be vulnerable and should contact Wind River Customer Support or their local Wind River representative for information regarding a fix for their version.

This issue has been rated as high. Further information can be found on https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash.

Note: Due to the significant difference in the privilege model, VxWorks is not impacted by this vulnerability. Specifically, in VxWorks all real-time processes (RTPs) execute in user mode (least privileged processor execution mode), and the concepts of SUID (set-user-ID) and SGID (set-group-ID) processes do not exist. VxWorks is highly configurable, and if you are concerned about the potential of a “stack clash” scenario, VxWorks provides configuration parameters to specify the size of various stack guard regions, including the overflow and underflow regions for an RTP task’s execution stack, the overflow region for an RTP task’s exception stack, and the overflow and underflow regions for a kernel task’s execution stack. Contact Customer Support or your Wind River representative for more information on these configuration options.

REMEDIATION

Wind River has released hot patches for all affected Wind River products.

The following is a list of Wind River products and their vulnerabilities to CVE-2017-1000364, CVE-2017-1000365, and CVE-2017-1000366.

Product

Vulnerable

Version

Details**

VxWorks
No
5.x, 6.x, 7.x
Wind River Linux
Yes
9.x, 8.x, 7.x, 6.x, 5.x
Wind River Intelligent Device Platform
Yes
All
Note: Ensure appropriate remedial action is taken on the Linux product/version that Wind River Intelligent Network Platform is running on.
Wind River Workbench
No
All
Wind River Simics
No
All
** You need an account to access the Knowledge Library. If you don't have a valid Knowledge Library account, please contact local customer support.

We continue to monitor the situation on our security mailing lists in case there are new developments, and will post periodic updates via RSS feeds and the Wind River Support Network.

http://www.windriver.com/feeds/wrlinux_900.xml
http://www.windriver.com/feeds/wrlinux_800.xml
http://www.windriver.com/feeds/wrlinux_700.xml
http://www.windriver.com/feeds/wrlinux_600.xml
http://www.windriver.com/feeds/wrlinux_500.xml
http://www.windriver.com/feeds/wind_river_pulsar_linux.xml

You Can’t Afford a Security Breach

This is just one of the more than 6,000 security vulnerabilities that our Security Response Team analyzes annually, and only one of the more than 1,000 annually for which we have produced a fix and rolled it out to all of our current customers.

Our support and maintenance practices and processes provide the most tangible proof of value when choosing Wind River products.
Learn more about Wind River Security practices at www.windriver.com/products/linux/security.

Customers are urged to keep their support and maintenance contracts current, and to install the latest available updates to their installed products. If you don’t know if your support and maintenance contract is current, make sure to contact your Wind River representative.