Vulnerability #1: TCP Urgent Pointer = 0 leads to integer underflow
A remote, unauthenticated threat actor could either hijack an existing TCP session or establish a new TCP session to inject malformed TCP packets to the device, resulting in a denial of service condition to the application, or could allow the execution of arbitrary code on the affected device. Products implementing non-executable memory mitigations reduce the risk of exploitation.
CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #2: Stack overflow in the parsing of IPv4 packets’ IP options
A remote, unauthenticated threat actor could send invalid IPv4 packets, resulting in a crash to the task that receives or transmits any Ethernet packets, or could allow the execution of arbitrary code on the affected device.
CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #3: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
A remote, unauthenticated threat actor could utilize this vulnerability overwrite the heap, which may result in a crash later on when a task requests memory from the heap.
CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned.
Vulnerability #4: Denial of Service (DoS) of TCP connection via malformed TCP options
A remote, unauthenticated threat actor who is able to figure out the source and destination TCP port and IP addresses of a session could potentially inject invalid TCP segments which cause the TCP session to be reset, resulting in a crash of the application that is reading from the affected socket.
CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.
Vulnerability #5: DoS via NULL dereference in IGMP parsing
An unauthenticated threat actor on the same Local Area Network (LAN) as the victim system may use this vulnerability to cause a Denial of Service condition to the task that receives and transmits Ethernet packets.
CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.
Vulnerability #6: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #7: TCP Urgent Pointer state confusion during connect() to a remote host
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12261 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (“CVSS”) v3.0. A CVSS v3 base score of 8.8 has been assigned.
Vulnerability #8: Handling of unsolicited Reverse Address Resolution Protocol (ARP) replies
A threat actor on the same LAN as the victim system can send reverse-ARP responses to the victim system and assign IPv4 addresses to the target, which could potentially result in network connectivity issues if any of the ARP values collide.
CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.
Vulnerability #9: TCP Urgent Pointer state confusion due to race condition
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned.
Vulnerability #10: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
A threat actor on the same LAN as the victim system could hijack a DHCP client session which may result in the victim incorrectly assigning a multicast IP address that originated from the threat actor.
CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.
Vulnerability #11: IGMP information leak via IGMPv3 specific membership report
This vulnerability may allow a threat actor on the same LAN as the victim system to transmit packets to the network that may contain information from packets that were previously sent/received by the network stack.
CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned.