Wind River VxWorks patches some TCP sequence spoofing bugs
1995 called, wants its vulnerability back
Intel-owned embedded software outfit Wind River has been caught with an embarrassing bug in its VxWorks OS.
According to the ICS-Cert advisory, the bug's only been identified in kit from Schneider Electric at this stage. It relates to how various VxWorks versions handle their TCP flows.
Discovered by a bunch of researchers from NEETRAC at Georgia Tech, the vulnerability affects VxWorks Version 7 older than February 13, 2015; version 6.9 releases lower than 18.104.22.168, version 6.8 releases lower than 6.8.3, version 6.7 releases lower than 22.214.171.124, and most releases prior to version 6.6.
What's embarrassing is that the vulnerability permits one of the oldest-known attacks on the Internet: a TCP spoofing attack.
As various RFCs note (here's one from 2007, for example), TCP has always been susceptible to being sent packets with faked source addresses, because endpoints tend to trust the packets they receive.
During the 1990s, most operating systems got TCP stacks that randomised initial TCP sequences to get around spoofing, and that's the mistake that Wind River has made.
“The VxWorks software generates predictable TCP initial sequence numbers,” the advisory says, “that may allow an attacker to predict the TCP initial sequence numbers from previous values”.
As well as Schneider Electric, other as-yet-unnamed vendors use vulnerable kit, and ICS-Cert says it will update the list of affected products once vendors publish their patches.
While Wind River has patched the vuln for supported versions of its software, end-of-life versions will not be patched. Options are being discussed with OEMs, the advisory says. ®