Vulnerabilities > CVE-2015-3963 - Use of Insufficiently Random Values vulnerability in Windriver Vxworks
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Wind River VxWorks before 5.5.1, 6.5.x through 6.7.x before 6.7.1.1, 6.8.x before 6.8.3, 6.9.x before 6.9.4.4, and 7.x before 7 ipnet_coreip 1.2.2.0, as used on Schneider Electric SAGE RTU devices before J2 and other devices, does not properly generate TCP initial sequence number (ISN) values, which makes it easier for remote attackers to spoof TCP sessions by predicting an ISN value.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Brute Force In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Misc. NASL id XEROX_XRX15AV.NASL description According to its model number and software version, the remote Xerox WorkCentre 4260 / 4265 device is affected by multiple vulnerabilities : - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204) - A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000) - A TCP connection spoofing vulnerability exists due to weak TCP initial sequence number (ISN) generation. A man-in-the-middle attacker can exploit this to spoof TCP connections or cause a denial of service. (CVE-2015-3963) Note that the FREAK (CVE-2015-0204) vulnerability on WorkCentre 4260 was fixed in a prior release. last seen 2020-06-01 modified 2020-06-02 plugin id 87326 published 2015-12-11 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87326 title Xerox WorkCentre 4260 / 4265 Multiple Vulnerabilities (XRX15AV) (FREAK) (Logjam) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87326); script_version("1.10"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2015-0204", "CVE-2015-3963", "CVE-2015-4000"); script_bugtraq_id(71936, 74733, 75302); script_xref(name:"CERT", value:"243585"); script_name(english:"Xerox WorkCentre 4260 / 4265 Multiple Vulnerabilities (XRX15AV) (FREAK) (Logjam)"); script_summary(english:"Checks system software version of Xerox WorkCentre devices."); script_set_attribute(attribute:"synopsis", value: "The remote multi-function device is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its model number and software version, the remote Xerox WorkCentre 4260 / 4265 device is affected by multiple vulnerabilities : - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204) - A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000) - A TCP connection spoofing vulnerability exists due to weak TCP initial sequence number (ISN) generation. A man-in-the-middle attacker can exploit this to spoof TCP connections or cause a denial of service. (CVE-2015-3963) Note that the FREAK (CVE-2015-0204) vulnerability on WorkCentre 4260 was fixed in a prior release."); # https://www.xerox.com/download/security/security-bulletin/1e9b7-5246c7996a40b/cert_Security_Mini-_Bulletin_XRX15AV_for_WC4260_WC4265_v1-02.pdf script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0b2b309a"); script_set_attribute(attribute:"see_also", value:"https://www.smacktls.com/#freak"); script_set_attribute(attribute:"see_also", value:"https://weakdh.org/"); script_set_attribute(attribute:"solution", value: "Apply the appropriate cumulative update as described in the Xerox security bulletin in the referenced URL."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-3963"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/06"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/h:xerox:workcentre"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("xerox_workcentre_detect.nasl"); script_require_keys("www/xerox_workcentre", "www/xerox_workcentre/model", "www/xerox_workcentre/ssw"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Get model and system software version model = get_kb_item_or_exit("www/xerox_workcentre/model"); ver = get_kb_item_or_exit("www/xerox_workcentre/ssw"); if (model =~ "^4260$") fix = "30.105.41.000"; else if (model =~ "^4265$") fix = "50.003.11.000"; else audit(AUDIT_HOST_NOT, "an affected Xerox WebCentre model"); if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, "Xerox WorkCentre " + model + " System SW", ver); if (report_verbosity > 0) { report = '\n Model : Xerox WorkCentre ' + model + '\n Installed system software version : ' + ver + '\n Fixed system software version : ' + fix + '\n'; security_warning(port:0, extra:report); } else security_warning(0);NASL family Misc. NASL id VXWORKS_CVE-2015-3963.NASL description According to its self-reported version, the Wind River VxWorks remote device is potentially affected by a TCP predictability vulnerability that allows a man-in-the-middle attacker to predict the TCP initial sequence numbers based on previous values. This can exploited to spoof or disrupt TCP connections, or to gain access to sensitive information. Note that Nessus has not checked for the presence of the patch so this finding may be a false positive. last seen 2020-06-01 modified 2020-06-02 plugin id 84399 published 2015-06-25 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84399 title Wind River VxWorks TCP Predictability Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84399); script_version("1.7"); script_cvs_date("Date: 2019/08/05 9:28:46"); script_cve_id("CVE-2015-3963"); script_bugtraq_id(75302); script_xref(name:"ICSA", value:"15-169-01"); script_xref(name:"CERT", value:"498440"); script_name(english:"Wind River VxWorks TCP Predictability Vulnerability"); script_summary(english:"Checks the OS fingerprint."); script_set_attribute(attribute:"synopsis", value: "The remote VxWorks device is potentially affected by a TCP predictability vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Wind River VxWorks remote device is potentially affected by a TCP predictability vulnerability that allows a man-in-the-middle attacker to predict the TCP initial sequence numbers based on previous values. This can exploited to spoof or disrupt TCP connections, or to gain access to sensitive information. Note that Nessus has not checked for the presence of the patch so this finding may be a false positive."); script_set_attribute(attribute:"solution", value:"Contact the device vendor for the appropriate patch."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/18"); script_set_attribute(attribute:"patch_publication_date", value:"2015/06/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/25"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:windriver:vxworks"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl"); script_require_keys("Settings/ParanoidReport", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item_or_exit("Host/OS"); if ("VxWorks" >!< os) audit(AUDIT_OS_NOT, "VxWorks"); match = pregmatch(pattern:"VxWorks ([0-9][0-9.]*)", string:os); if (isnull(match)) exit(1, "Failed to identify the version of VxWorks."); version = match[1]; if (report_paranoia < 2) audit(AUDIT_PARANOID); fix = NULL; patch = NULL; # Version 7, released prior to February 13, 2015 if (version =~ "^7($|\.)") { fix = "7.0"; patch = "ipnet_coreip 1.2.2.0"; } # Version 6.9 releases prior to Version 6.9.4.4 else if (version =~ "^6\.9($|\.)") { fix = "6.9.4.4"; } # Version 6.8 releases prior to Version 6.8.3 else if (version =~ "^6\.8($|\.)") { fix = "6.8.3"; } # Version 6.7 releases prior to Version 6.7.1.1 else if (version =~ "^6\.7($|\.)") { fix = "6.7.1.1"; } # Version 6.6 and prior versions, but NOT to include Version 5.5.1 # with PNE2.2 and Version 6.0 through Version 6.4. else if (version =~ "^6\.[56]($|\.)") { fix = "6.7.1.1"; } else if (version =~ "^5\.5\.1$") { fix = "5.5.1"; patch = "PNE2.2"; } else if (ver_compare(ver:version, fix:"6.0", strict:FALSE) < 0) { fix = "6.7.1.1"; } if (!isnull(fix) && ((ver_compare(ver:version, fix:fix, strict:FALSE) < 0) || (!isnull(patch) && ver_compare(ver:version, fix:fix, strict:FALSE) <= 0))) { if (report_verbosity > 0) { report = '\n Version : ' + version + '\n Fixed Version : ' + fix + '\n'; if (!isnull(patch)) report += ' Patch : ' + patch + '\n' + '\nNote that Nessus has not checked for the presence' + '\nof the patch so this finding may be a false positive.' + '\n'; security_warning(port:0, extra:report); } else security_warning(0); } else audit(AUDIT_OS_RELEASE_NOT, "VxWorks", version);
References
- https://ics-cert.us-cert.gov/advisories/ICSA-15-169-01
- http://www.schneider-electric.com/ww/en/download/document/SEVD-2015-162-01
- http://www.securityfocus.com/bid/75302
- http://www.securitytracker.com/id/1032730
- https://ics-cert.us-cert.gov/advisories/ICSA-15-169-01A
- http://www.securitytracker.com/id/1033181
- https://security.netapp.com/advisory/ntap-20160324-0001/