Vulnerabilities > CVE-2010-2966 - Credentials Management vulnerability in Windriver Vxworks

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

NONE

Availability impact

NONE

network

low complexity

windriver

CWE-255

NVD

Published: 2010-08-05

Updated: 2010-08-05

Summary

The INCLUDE_SECURITY functionality in Wind River VxWorks 6.x, 5.x, and earlier uses the LOGIN_USER_NAME and LOGIN_USER_PASSWORD (aka LOGIN_PASSWORD) parameters to create hardcoded credentials, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session.

Vulnerable Configurations

Part	Description	Count
OS	Windriver Windriver Vxworks 5 Windriver Vxworks 5.5 Windriver Vxworks 6 Windriver Vxworks 6.4 Windriver Vxworks 6.5 Windriver Vxworks 6.6 Windriver Vxworks 6.7 Windriver Vxworks 6.8	8

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

References

http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
http://www.kb.cert.org/vuls/id/840249