There is a TCP prediction vulnerability in Wind River’s widely deployed VxWorks embedded software that can enable an attacker to disrupt or spoof the TCP connections to and from target devices.
VxWorks is an embedded operating system that’s used in a large number of ICS products that are deployed in sectors such as energy, water, wastewater, and critical manufacturing. Products from a variety of vendors are affected by this vulnerability, notably a series of products manufactured by Schneider Electric, a major ICS vendor.
The vulnerability, which was discovered by a team of researchers at Georgia Tech, lies in the way that VxWorks handles TCP connections.
“The VxWorks software generates predictable TCP initial sequence numbers that may allow an attacker to predict the TCP initial sequence numbers from previous values, which may allow an attacker to spoof or disrupt TCP connections,” the ICS-CERT advisory says.
The bug affects the following versions of VxWorks:
- Wind River VxWorks, Version 7, released prior to February 13, 2015,
- Wind River VxWorks, Version 6.9 releases prior to Version 220.127.116.11,
- Wind River VxWorks, Version 6.8 releases prior to Version 6.8.3,
- Wind River VxWorks, Version 6.7 releases prior to Version 18.104.22.168, and
- Wind River VxWorks, Version 6.6 and prior versions, but NOT to include Version 5.5.1 with PNE2.2 and Version 6.0 through Version 6.4.
Wind River has produced patches for supported versions of the software.
“Wind River has stated that they will not provide patches or support for versions of VxWorks that are at end-of-life; however, they will work with customers to discuss options,” the advisory says.
The vulnerability can be exploited remotely and the advisory says an attacker with medium skill would be able to exploit it.