CVE-2021-29998

Q: What is the severity of CVE-2021-29998?

CVE-2021-29998 has a CVSS score of 9.8 (CRITICAL). CVE-2021-29998 is a heap overflow vulnerability in the DHCP client of Wind River VxWorks operating system. This allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted DHCP packets. Systems running VxWorks versions before 6.5 with DHCP client enabled are affected.

9.8 CRITICAL

Denial of Service

📋 TL;DR

CVE-2021-29998 is a heap overflow vulnerability in the DHCP client of Wind River VxWorks operating system. This allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted DHCP packets. Systems running VxWorks versions before 6.5 with DHCP client enabled are affected.

💻 Affected Systems

Products:

Wind River VxWorks

Versions: All versions before 6.5

Operating Systems: VxWorks RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with DHCP client functionality enabled. Many industrial control systems and embedded devices use VxWorks.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to take control of affected devices.

🟠

Likely Case

Denial of service causing system crashes or instability, potentially disrupting critical operations.

🟢

If Mitigated

Limited impact if network segmentation prevents external DHCP traffic from reaching vulnerable systems.

🌐 Internet-Facing: HIGH - DHCP clients typically listen on network interfaces and can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised systems on the same network segment can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious DHCP packets to vulnerable systems. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: VxWorks 6.5 and later

Vendor Advisory: https://support2.windriver.com/index.php?page=security-notices

Restart Required: Yes

Instructions:

1. Contact Wind River for patches for specific VxWorks versions. 2. Apply the provided patches. 3. Reboot affected systems. 4. Verify patch installation.

🔧 Temporary Workarounds

Disable DHCP Client

all

Configure systems to use static IP addresses instead of DHCP

# Configure static IP in VxWorks network settings
# Set IP address, netmask, gateway manually

Network Segmentation

all

Isolate VxWorks systems from untrusted networks

# Configure firewall rules to block DHCP traffic (ports 67/68) from untrusted sources

🧯 If You Can't Patch

Implement strict network segmentation to isolate VxWorks systems
Deploy network intrusion detection systems to monitor for DHCP exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check VxWorks version and verify if DHCP client is enabled. Versions before 6.5 are vulnerable.

Check Version:

versionShow() or uname -a in VxWorks shell

Verify Fix Applied:

Verify system is running VxWorks 6.5 or later, or confirm patch installation from vendor.

📡 Detection & Monitoring

Log Indicators:

DHCP client crashes
Memory corruption errors
System reboots without clear cause

Network Indicators:

Unusual DHCP traffic patterns
DHCP packets with malformed options

SIEM Query:

search DHCP traffic with suspicious option fields or from untrusted sources

📊 Metadata

CVE ID: CVE-2021-29998

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 13, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-560465.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-910883.pdf Third Party Advisory
https://support2.windriver.com/index.php?page=security-notices Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-194-12 Third Party Advisory,US Government Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-560465.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-910883.pdf Third Party Advisory
https://support2.windriver.com/index.php?page=security-notices Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-194-12 Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ruggedcom Win Subscriber Station Firmware by Siemens

Scalance X200 4 P Irt Firmware by Siemens

Scalance X201 3p Irt Firmware by Siemens

Scalance X201 3p Irt Pro Firmware by Siemens

Scalance X202 2 Irt Firmware by Siemens

Scalance X202 2p Irt Firmware by Siemens

Scalance X202 2p Irt Pro Firmware by Siemens

Scalance X204 2 Firmware by Siemens

Scalance X204 2fm Firmware by Siemens

Scalance X204 2ld Firmware by Siemens

Scalance X204 2ld Ts Firmware by Siemens

Scalance X204 2ts Firmware by Siemens

Scalance X204 Irt Firmware by Siemens

Scalance X204 Irt Pro Firmware by Siemens

Scalance X206 1 Firmware by Siemens

Scalance X206 1ld Firmware by Siemens

Scalance X208 Firmware by Siemens

Scalance X208 Pro Firmware by Siemens

Scalance X212 2 Firmware by Siemens

Scalance X212 2ld Firmware by Siemens

Scalance X216 Firmware by Siemens

Scalance X224 Firmware by Siemens

Scalance X300 Firmware by Siemens

Scalance X408 Firmware by Siemens

Scalance Xf201 3p Irt Firmware by Siemens

Scalance Xf202 2p Irt Firmware by Siemens

Scalance Xf204 2 Firmware by Siemens

Scalance Xf204 2ba Irt Firmware by Siemens

Scalance Xf204 Firmware by Siemens

Scalance Xf204 Irt Firmware by Siemens

Scalance Xf206 1 Firmware by Siemens

Scalance Xf208 Firmware by Siemens

Simatic Rf 181 Eip Firmware by Siemens

Simatic Rf 182c Firmware by Siemens

Sinamics Perfect Harmony Gh180 Firmware by Siemens

Vxworks by Windriver