6.3 Medium
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.024 Low
EPSS
Percentile
89.7%
This updated advisory is a follow-up to the updated advisory titled ICSA-15-169-01A Wind River VxWorks TCP Predictability Vulnerability in ICS Devices that was published November 5, 2015, on the NCCIC/ICS-CERT web site.
Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center, have identified a TCP predictability vulnerability that exists in Wind River’s VxWorks embedded software. Wind River has produced patches for several versions of VxWorks that mitigates this vulnerability. The researchers have verified that Schneider Electric’s SAGE RTU patch, which uses Wind River’s VxWorks Version 6.9.4.4, resolves the vulnerability.
This vulnerability could be exploited remotely.
The following versions of VxWorks are affected:
The following versions of VxWorks Cert are affected:
The following versions of VxWorks 653 are affected:
Wind River’s VxWorks is widely used in ICS-related devices. NCCIC/ICS-CERT has notified many ICS vendors in the US and abroad of the predictable TCP sequence vulnerability in the VxWorks software. The identified ICS vendor responded to ICS-CERT’s notification and coordinated with ICS-CERT to remediate the identified product vulnerability.
The following Schneider Electric SAGE RTUs, which use CPU card C3412 are affected:
The following Schneider Electric SAGE RTUs, which use CPU card C3413 are affected:
The following Schneider Electric SAGE RTUs, which use CPU card C3414 LX-800 with firmware versions prior to C3414-500-S02J2 are affected:
ICS-CERT will update the list of affected products as vendors identify their product patches and new product versions.
Successful exploitation of this vulnerability may allow an attacker to spoof or disrupt TCP connections of affected devices.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Wind River is a US-based company that sells products around the world. Wind River is a wholly owned subsidiary of Intel Corporation.
The affected product, VxWorks, is a real time operating system that is used in a wide variety of products.
Wind River VxWorks 653 Platform is a real-time operating system for safety-critical applications and is primarily used in avionics applications.
Wind River VxWorks Cert Platform is a real-time operating system for safety-critical applications that require certification evidence in avionics, transportation, industrial automation, and medical device industries. Wind River’s VxWorks is deployed across several sectors including Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems, and others. Wind River estimates that these products are used worldwide.
PREDICTABLE VALUE RANGE FROM PREVIOUS VALUESCWE-343: Predictable Value Range from Previous Values, http://cwe.mitre.org/data/definitions/343.html, web site last accessed June 18, 2015.
The VxWorks software generates predictable TCP initial sequence numbers that may allow an attacker to predict the TCP initial sequence numbers from previous values, which may allow an attacker to spoof or disrupt TCP connections.
CVE-2015-3963NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3963, web site last accessed November 5, 2015. has been assigned to this vulnerability. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:P).CVSS Calculator, https://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:P , web site last accessed June 18, 2015.
This vulnerability could be exploited remotely.
No known public exploits specifically target this vulnerability.
An attacker with a medium skill would be able to exploit this vulnerability.
Wind River has released patches and new versions to address the TCP predictability vulnerability for several versions of VxWorks.
The vulnerability is resolved in VxWorks, Version 6.8.3.1 and later versions. Wind River recommends that asset owners using versions of VxWorks, Version 6.8 prior to Version 6.8.3, update to Version 6.8.3.1 or contact Wind River.
The vulnerability is resolved in VxWorks, Version 6.7.1.1 and later versions. Wind River recommends that asset owners using versions of VxWorks, Version 6.7 prior to Version 6.7.1, update to Version 6.7.1.1 or contact Wind River.
false
false
false
EN-US
JA
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:“Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:“”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:“Calibri”,“sans-serif”;}A patch for VxWorks, Version 5.5 has been released, which is available at the following URL, with a valid account:
The vulnerability is resolved in VxWorks, Version 5.5.2 and later versions. Wind River recommends that asset owners using versions of VxWorks, Version 5.5 prior to Version 5.5.1, update to 5.5.2 or contact Wind River.
https://knowledge.windriver.com/en-us/000_Products/000/040/000/050/000_Cert_6.6.4.1_IPNET_CP_1_patch.
Wind River has stated that they will not provide patches or support for versions of VxWorks that are at end-of-life; however, they will work with customers to discuss options. Wind River’s security advisory is available at the following URL with a valid account:
For more information about Wind River’s patches or new versions of VxWorks, contact Wind River’s customer support at: http://windriver.com/support/.
Additional information about weaknesses in TCP initial sequence number generation is available in CERT/CC’s Vulnerability Note, VU#498440 Multiple TCP/IP Implementations May Use Statistically Predictable Initial Sequence Numbers, which is available at:
https://www.kb.cert.org/vuls/id/498440.
Schneider Electric has released patch, C3414-500-S02YZ - Secure Firmware Version J2 that mitigates the vulnerability in CPU card, C3414 LX-800, which is used in multiple Schneider Electric RTUs. Customers may obtain this patch by contacting Schneider Electric’s customer service department at: 1-713-920-6832.
For all other SAGE RTU models, contact Schneider Electric’s customer service department at:
1-713-920-6832.
Schneider Electric has released Security Notification, SEVD-2015-162-01, which is available at the following URL:
http://www.schneider-electric.com/ww/en/download/document/SEVD-2015-162-01
Schneider Electric recommends the following interim mitigations until patches can be applied:
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
14.00
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Wind%20River%20VXWorks%20TCP%20Predictability%20Vulnerability%20in%20ICS%20Devices%20%28Update%20B%29+https://www.cisa.gov/news-events/ics-advisories/icsa-15-169-01b
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-15-169-01b&title=Wind%20River%20VXWorks%20TCP%20Predictability%20Vulnerability%20in%20ICS%20Devices%20%28Update%20B%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-15-169-01b
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-15-169-01b
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Wind%20River%20VXWorks%20TCP%20Predictability%20Vulnerability%20in%20ICS%20Devices%20%28Update%20B%29&body=www.cisa.gov/news-events/ics-advisories/icsa-15-169-01b