Wind River Patches TCP Predictability Hole

Friday, June 19, 2015 @ 09:06 AM gHale


Wind River created patches for several versions of VxWorks that mitigates a TCP predictability vulnerability that exists in its VxWorks embedded software, according to a report on ICS-CERT.

What makes this a problematic vulnerability is other suppliers embed the software in their ICS devices, so other vendors will come out with their own patches. Schneider Electric is one.

Schneider Electric’s SAGE RTU patch, which uses Wind River’s VxWorks Version 6.9.4.4, resolves the vulnerability, researchers said.

RELATED STORIES
Wonderware Patches Vulnerability
GarrettCom Plugs Magnum Holes
Hospira Plum A+, Symbiq Vulnerabilities
Healthcare Control System Fix Update

Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center discovered the remotely exploitable vulnerability.

The following versions of VxWorks suffer from the vulnerability:
• Wind River VxWorks, Version 7, released prior to February 13, 2015
• Wind River VxWorks, Version 6.9 releases prior to Version 6.9.4.4
• Wind River VxWorks, Version 6.8 releases prior to Version 6.8.3
• Wind River VxWorks, Version 6.7 releases prior to Version 6.7.1.1
• Wind River VxWorks, Version 6.6 and prior versions, but NOT to include Version 5.5.1 with PNE2.2 and Version 6.0 through Version 6.4

As mentioned Wind River’s VxWorks is a widely-used product in ICS-related devices. NCCIC/ICS-CERT notified ICS vendors in the U.S. and abroad of the VxWorks software vulnerability. The identified ICS vendors responded to ICS-CERT’s notification and coordinated with ICS-CERT to remediate the vulnerability in their products. The following products use vulnerable versions of Wind River’s VxWorks:

The following Schneider Electric SAGE RTUs, which use CPU card C3412 suffer from the issue:
• Schneider Electric SAGE 1210 RTU
• Schneider Electric SAGE 1230 RTU
• Schneider Electric SAGE 1250 RTU
• Schneider Electric SAGE 2200 RTU

The following Schneider Electric SAGE RTUs, which use CPU card C3413 also suffer from the issue:
• Schneider Electric SAGE 1310 RTU
• Schneider Electric SAGE 1330 RTU
• Schneider Electric SAGE 1350 RTU
• Schneider Electric SAGE 3030 RTU

The following Schneider Electric SAGE RTUs, which use CPU card C3414 LX-800 with firmware versions prior to C3414-500-S02J2 end up affected:
• Schneider Electric SAGE 1410 RTU
• Schneider Electric SAGE 1430 RTU
• Schneider Electric SAGE 1450 RTU
• Schneider Electric SAGE 2400 RTU
• Schneider Electric SAGE 3030 Magnum RTU

ICS-CERT will update the list of affected products as vendors identify their product patches and new product versions.

Successful exploitation of this vulnerability may allow an attacker to spoof or disrupt TCP connections of affected devices.

Alameda, CA-based Wind River sells products around the world. Wind River is a wholly owned subsidiary of Intel Corporation.

The affected product, VxWorks, is a real time operating system used in a wide variety of products. Wind River’s VxWorks sees action across several sectors including critical manufacturing, energy, and water and wastewater systems. Wind River estimates these products see use globally.

The VxWorks software generates predictable TCP initial sequence numbers that may allow an attacker to predict the TCP initial sequence numbers from previous values, which may allow an attacker to spoof or disrupt TCP connections.

CVE-2015-3963 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

No known public exploits specifically target this vulnerability. However, an attacker with a medium skill would be able to exploit this vulnerability.

Wind River released the following patches and new versions of VxWorks:
• Wind River VxWorks, Version 7 (patched by downloading RPM package ipnet_coreip 1.2.2.0)
• Wind River VxWorks, Version 6.9.4.4
• Wind River VxWorks, Version 6.8.3
• Wind River VxWorks, Version 6.7.1.1
• Wind River VxWorks, Version 5.5.1

Wind River said they will not provide patches or support for versions of VxWorks that are at end-of-life; however, they will work with customers to discuss options.

For more information about Wind River’s patches or new versions of VxWorks, contact Wind River’s customer support.

Additional information about weaknesses in TCP initial sequence number generation is available in CERT/CC’s Vulnerability Note, VU#498440 Multiple TCP/IP Implementations May Use Statistically Predictable Initial Sequence Numbers.

Schneider Electric released patch, C3414-500-S02YZ – Secure Firmware Version J2 that mitigates the vulnerability in CPU card, C3414 LX-800, used in multiple Schneider Electric RTUs. Customers may obtain this patch by contacting Schneider Electric’s customer service department at: 1-713-920-6832.

For all other SAGE RTU models, contact Schneider Electric’s customer service department at: 1-713-920-6832.

Schneider Electric released Security Notification, SEVD-2015-162-01.

Schneider Electric recommended the following interim mitigations until users can apply patches:
• Enable SAGE RTU security features, so network traffic ends up encrypted and authenticated
• Use strong passwords
• Implement extensive logging of network traffic