Wind River VXWorks TCP Predictability Vulnerability in ICS Devices (Update B)
Low RiskICS-CERT ICSA-15-169-01BMar 21, 2015
Summary
The vulnerability is a weak TCP sequence number generation flaw in Wind River VxWorks that allows remote attackers to predict TCP sequence numbers and inject spoofed packets into network communications. The flaw affects multiple versions of VxWorks (6.7.x through 7.x and earlier variants) and all versions of Schneider Electric SAGE RTU models that run VxWorks. This enables TCP/IP traffic spoofing and session hijacking attacks. Affected SAGE RTU models include 1210, 1230, 1250, 1310, 1330, 1350, 1410, 1430, 1450, 2200, 2300, 2400, 3030, 3030 Magnum, and LANDAC2 upgrade kit. Schneider Electric released a patch for the C3414 LX-800 CPU card (Firmware J2), but most SAGE RTU models lack available patches and require direct contact with the vendor for mitigations.
What this means
What could happen
An attacker could predict TCP sequence numbers and spoof network traffic to SAGE RTUs, potentially sending fraudulent commands to remote terminal units that control electrical generation, transmission, or distribution infrastructure without detection. This could alter operating parameters or disrupt service.
Who's at risk
Energy sector operators using Schneider Electric SAGE RTUs (models 1210, 1230, 1250, 1310, 1330, 1350, 1410, 1430, 1450, 2200, 2300, 2400, 3030, 3030 Magnum, and LANDAC2 upgrade kit) for distribution automation and monitoring. Also affects any equipment running Wind River VxWorks operating system versions 6.7.x through 7.x without current patches.
How it could be exploited
An attacker on the network (or with network access to the RTU) could capture TCP traffic to predict sequence numbers, then inject forged packets into the communication stream. By spoofing the IP address and predicting the next TCP sequence number, the attacker could inject commands that the RTU accepts as legitimate, bypassing authentication if not enabled.
Prerequisites
- Network access to the SAGE RTU (local network or routable path)
- Ability to capture and analyze TCP traffic from the RTU
- RTU with weak or no TCP sequence number randomization enabled
- Optional: security features disabled or default credentials in use
No patch available for many affected products (end-of-life)Affects safety-critical systems (VxWorks 653 variants)TCP sequence number predictability is fundamental OS flawRemotely exploitable if network access existsLow exploit complexity once network access gainedNo authentication required if security features disabled
Exploitability
Moderate exploit probability (EPSS 3.0%)
Affected products (29)
14 with fix15 EOL
ProductAffected VersionsFix Status
Wind River VxWorks: >=6.9|<6.9.4.4≥ 6.9|<6.9.4.46.7.1.1, 6.8.3, 6.9.4.4, and February 13 2015 or later for version 7
Wind River VxWorks 653 Platform/Platform for Safety Critical ARINC 653: 2.42.46.7.1.1, 6.8.3, 6.9.4.4, and February 13 2015 or later for version 7
Schneider Electric SAGE 1210 RTU: vers:all/*All versionsNo fix (EOL)
Schneider Electric SAGE 1230 RTU: vers:all/*All versionsNo fix (EOL)
Wind River VxWorks 653 Platform/Platform for Safety Critical ARINC 653: 2.32.36.7.1.1, 6.8.3, 6.9.4.4, and February 13 2015 or later for version 7
Remediation & Mitigation
0/8
Do now
0/3HARDENINGEnable SAGE RTU built-in security features to encrypt and authenticate network traffic
HARDENINGEnforce strong passwords on all RTU administrative accounts
HARDENINGImplement extensive logging and monitoring of network traffic to and from RTUs
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXApply Schneider Electric patch C3414-500-S02YZ (Secure Firmware Version J2) to CPU card C3414 LX-800 in affected SAGE RTUs
HOTFIXContact Schneider Electric at 1-713-920-6832 for patches and mitigation for SAGE RTU models without released patches
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Schneider Electric SAGE 1210 RTU: vers:all/*, Schneider Electric SAGE 1230 RTU: vers:all/*, Schneider Electric SAGE 1250 RTU: vers:all/*, Schneider Electric SAGE 1310 RTU: vers:all/*, Schneider Electric SAGE 1330 RTU: vers:all/*, Schneider Electric SAGE 1350 RTU: vers:all/*, Schneider Electric SAGE 2200 RTU: vers:all/*, Schneider Electric SAGE 2300 RTU: vers:all/*, Schneider Electric SAGE 3030 RTU: vers:all/*, Schneider Electric SAGE 1410 RTU: vers:all/*, Schneider Electric SAGE 1430 RTU: vers:all/*, Schneider Electric SAGE 1450 RTU: vers:all/*, Schneider Electric SAGE 2400 RTU: vers:all/*, Schneider Electric SAGE 3030 Magnum RTU: vers:all/*, Schneider Electric SAGE LANDAC2 Upgrade Kit: vers:all/*. Apply the following compensating controls:
HARDENINGSegment RTU networks behind firewalls and implement DMZs to restrict direct access from business network and Internet
HARDENINGDeploy bump-in-the-wire (inline) solutions to provide secure encrypted communication between field devices and control center
HARDENINGUse VPN for any required remote access to RTUs, kept to current versions
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/36066743-d8d2-4d9b-bab7-205757dae954