Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2023-38346)
Today we publish an advisory for a specific function in Wind River's VxWorks operating system.
VxWorks is a real-time operating system used in many embedded devices in high-availability environments with high safety and security requirements. This includes important industrial, medical, airospace, networking and automotive devices. For example, NASA's Curiosity rover currently deployed on planet Mars is using Wind River's VxWorks operating system.
The vulnerability is triggered when VxWorks' tarExtract
function is used on untrusted tar archive files. The official VxWorks advisory can be found on the Wind River website.