CVE-2015-3963Use of Insufficiently Random Values in Vxworks

CWE-330Use of Insufficiently Random Values3 documents3 sources
Severity
5.8MEDIUMNVD
EPSS
3.0%
top 13.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Windriver Vxworks
Timeline
PublishedAug 4
Latest updateMay 13

Description

Wind River VxWorks before 5.5.1, 6.5.x through 6.7.x before 6.7.1.1, 6.8.x before 6.8.3, 6.9.x before 6.9.4.4, and 7.x before 7 ipnet_coreip 1.2.2.0, as used on Schneider Electric SAGE RTU devices before J2 and other devices, does not properly generate TCP initial sequence number (ISN) values, which makes it easier for remote attackers to spoof TCP sessions by predicting an ISN value.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

NVDwindriver/vxworks6.76.7.1.1+7

Patches

Patch: www.schneider-electric.comPatch: www.schneider-electric.com

🔴Vulnerability Details

2
GHSA
GHSA-76ph-2hxx-gxwj: Wind River VxWorks before 52022-05-13
CVEList
CVE-2015-3963: Wind River VxWorks before 52015-08-04
CVE-2015-3963 — Use of Insufficiently Random Values | cvebase