CVE-2023-38346 in VxWorks
Summary
by MITRE • 09/22/2023
An issue was discovered in Wind River VxWorks 6.9 and 7. The function ``tarExtract`` implements TAR file extraction and thereby also processes files within an archive that have relative or absolute file paths. A developer using the "tarExtract" function may expect that the function will strip leading slashes from absolute paths or stop processing when encountering relative paths that are outside of the extraction path, unless otherwise forced. This could lead to unexpected and undocumented behavior, which in general could result in a directory traversal, and associated unexpected behavior.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability identified in Wind River VxWorks versions 6.9 and 7 through CVE-2023-38346 resides within the tarExtract function implementation that handles TAR file extraction operations. This function processes archive files containing both relative and absolute file paths, creating a potential security risk through improper path handling mechanisms. The core issue emerges from the function's failure to properly sanitize or validate file paths during extraction, particularly when dealing with absolute paths that begin with leading slashes or relative paths that could navigate outside the intended extraction directory.
The technical flaw manifests when the tarExtract function does not implement proper path validation controls that would normally prevent directory traversal attacks. According to CWE-22 standards for Improper Limitation of a Pathname to a Restricted Directory, this vulnerability allows attackers to manipulate file paths within TAR archives to potentially write files outside the intended target directory. The function's behavior becomes unpredictable when encountering absolute paths, as it fails to strip leading slashes that would normally indicate paths outside the current directory context, and similarly does not enforce boundary checks for relative paths that could traverse parent directories.
From an operational perspective, this vulnerability creates significant security implications for embedded systems running VxWorks 6.9 or 7, particularly those handling untrusted TAR archives from external sources. The potential for directory traversal attacks means that malicious actors could exploit this flaw to overwrite critical system files, create unauthorized access points, or execute arbitrary code by placing files in unintended locations within the filesystem. The impact extends beyond simple file manipulation as it could compromise system integrity and availability, especially in mission-critical embedded environments where such systems operate without traditional user authentication mechanisms.
The vulnerability aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1566 for Phishing, as attackers could leverage this weakness to deliver malicious payloads through compromised archive files. Organizations using Wind River VxWorks should implement immediate mitigations including updating to patched versions, implementing strict input validation for all archive extraction operations, and configuring extraction paths with proper boundary controls. Additional protective measures should include network segmentation to limit exposure to untrusted archive sources, implementing file integrity monitoring systems, and conducting thorough security assessments of all archive handling processes within embedded environments. The vulnerability demonstrates the critical importance of proper path validation in embedded system security, particularly in environments where traditional security controls may be limited or absent.