5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.024 Low
EPSS
Percentile
88.7%
This updated advisory is a follow-up to the updated advisory titled ICSA-15-169-01A Wind River VxWorks TCP Predictability Vulnerability in ICS Devices that was published November 5, 2015, on the NCCIC/ICS-CERT web site.
Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center, have identified a TCP predictability vulnerability that exists in Wind River’s VxWorks embedded software. Wind River has produced patches for several versions of VxWorks that mitigates this vulnerability. The researchers have verified that Schneider Electric’s SAGE RTU patch, which uses Wind River’s VxWorks Version 6.9.4.4, resolves the vulnerability.
This vulnerability could be exploited remotely.
The following versions of VxWorks are affected:
The following versions of VxWorks Cert are affected:
The following versions of VxWorks 653 are affected:
Wind River’s VxWorks is widely used in ICS-related devices. NCCIC/ICS-CERT has notified many ICS vendors in the US and abroad of the predictable TCP sequence vulnerability in the VxWorks software. The identified ICS vendor responded to ICS-CERT’s notification and coordinated with ICS-CERT to remediate the identified product vulnerability.
The following Schneider Electric SAGE RTUs, which use CPU card C3412 are affected:
The following Schneider Electric SAGE RTUs, which use CPU card C3413 are affected:
The following Schneider Electric SAGE RTUs, which use CPU card C3414 LX-800 with firmware versions prior to C3414-500-S02J2 are affected:
ICS-CERT will update the list of affected products as vendors identify their product patches and new product versions.
Successful exploitation of this vulnerability may allow an attacker to spoof or disrupt TCP connections of affected devices.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Wind River is a US-based company that sells products around the world. Wind River is a wholly owned subsidiary of Intel Corporation.
The affected product, VxWorks, is a real time operating system that is used in a wide variety of products.
Wind River VxWorks 653 Platform is a real-time operating system for safety-critical applications and is primarily used in avionics applications.
Wind River VxWorks Cert Platform is a real-time operating system for safety-critical applications that require certification evidence in avionics, transportation, industrial automation, and medical device industries. Wind River’s VxWorks is deployed across several sectors including Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems, and others. Wind River estimates that these products are used worldwide.
PREDICTABLE VALUE RANGE FROM PREVIOUS VALUESa
The VxWorks software generates predictable TCP initial sequence numbers that may allow an attacker to predict the TCP initial sequence numbers from previous values, which may allow an attacker to spoof or disrupt TCP connections.
CVE-2015-3963b has been assigned to this vulnerability. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:P).c
This vulnerability could be exploited remotely.
No known public exploits specifically target this vulnerability.
An attacker with a medium skill would be able to exploit this vulnerability.
Wind River has released patches and new versions to address the TCP predictability vulnerability for several versions of VxWorks.
The vulnerability is resolved in VxWorks, Version 6.8.3.1 and later versions. Wind River recommends that asset owners using versions of VxWorks, Version 6.8 prior to Version 6.8.3, update to Version 6.8.3.1 or contact Wind River.
The vulnerability is resolved in VxWorks, Version 6.7.1.1 and later versions. Wind River recommends that asset owners using versions of VxWorks, Version 6.7 prior to Version 6.7.1, update to Version 6.7.1.1 or contact Wind River.
The vulnerability is resolved in VxWorks, Version 5.5.2 and later versions. Wind River recommends that asset owners using versions of VxWorks, Version 5.5 prior to Version 5.5.1, update to 5.5.2 or contact Wind River.
https://knowledge.windriver.com/en-us/000_Products/000/040/000/050/000_Cert_6.6.4.1_IPNET_CP_1_patch.
Wind River has stated that they will not provide patches or support for versions of VxWorks that are at end-of-life; however, they will work with customers to discuss options. Wind River’s security advisory is available at the following URL with a valid account:
For more information about Wind River’s patches or new versions of VxWorks, contact Wind River’s customer support at: http://windriver.com/support/.
Additional information about weaknesses in TCP initial sequence number generation is available in CERT/CC’s Vulnerability Note, VU#498440 Multiple TCP/IP Implementations May Use Statistically Predictable Initial Sequence Numbers, which is available at:
https://www.kb.cert.org/vuls/id/498440.
Schneider Electric has released patch, C3414-500-S02YZ - Secure Firmware Version J2 that mitigates the vulnerability in CPU card, C3414 LX-800, which is used in multiple Schneider Electric RTUs. Customers may obtain this patch by contacting Schneider Electric’s customer service department at: 1-713-920-6832.
For all other SAGE RTU models, contact Schneider Electric’s customer service department at:
1-713-920-6832.
Schneider Electric has released Security Notification, SEVD-2015-162-01, which is available at the following URL:
http://www.schneider-electric.com/ww/en/download/document/SEVD-2015-162-01
Schneider Electric recommends the following interim mitigations until patches can be applied:
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
Contact Information
For any questions related to this report, please contact the CISA at:
Email: [email protected]
Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics
or incident reporting: https://us-cert.cisa.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we’d welcome your feedback.
twitter.com/icscert
twitter.com/share?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-15-169-01
www.addthis.com/bookmark.php?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-15-169-01
www.cisa.gov
www.cisa.gov
www.cisa.gov/ics
www.cisa.gov/uscert
www.dhs.gov
www.dhs.gov/
www.dhs.gov/freedom-information-act-foia
www.dhs.gov/homeland-security-no-fear-act-reporting
www.dhs.gov/plain-writing-dhs
www.dhs.gov/plug-information
www.dhs.gov/privacy-policy
www.facebook.com/sharer.php?u=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-15-169-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-15-169-01
www.usa.gov/
www.whitehouse.gov/