CVE-2015-3963 : Wind River VxWorks before 5.5.1, 6.5.x through 6.7.x before 6.7.1.1, 6.8.x befor

Wind River VxWorks before 5.5.1, 6.5.x through 6.7.x before 6.7.1.1, 6.8.x before 6.8.3, 6.9.x before 6.9.4.4, and 7.x before 7 ipnet_coreip 1.2.2.0, as used on Schneider Electric SAGE RTU devices before J2 and other devices, does not properly generate TCP initial sequence number (ISN) values, which makes it easier for remote attackers to spoof TCP sessions by predicting an ISN value.

Published 2015-08-04 01:59:07

Updated 2025-04-12 10:46:41

Source ICS-CERT

View at NVD, CVE.org

Products affected by CVE-2015-3963

Windriver » Vxworks
Versions from including (>=) 6.7 and before (<) 6.7.1.1
cpe:2.3:o:windriver:vxworks:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Sage 1210 » Version: N/A
When used together with: Schneider-electric » Sage 1230 » Version: N/A
When used together with: Schneider-electric » Sage 1250 » Version: N/A
When used together with: Schneider-electric » Sage 1310 » Version: N/A
When used together with: Schneider-electric » Sage 1330 » Version: N/A
When used together with: Schneider-electric » Sage 1350 » Version: N/A
When used together with: Schneider-electric » Sage 1410 » Version: N/A
When used together with: Schneider-electric » Sage 1430 » Version: N/A
When used together with: Schneider-electric » Sage 1450 » Version: N/A
When used together with: Schneider-electric » Sage 2200 » Version: N/A
When used together with: Schneider-electric » Sage 2400 » Version: N/A
When used together with: Schneider-electric » Sage 3030 » Version: N/A
When used together with: Schneider-electric » Sage 3030 Magnum » Version: N/A
Windriver » Vxworks
Versions from including (>=) 6.5 and up to, including, (<=) 6.6
cpe:2.3:o:windriver:vxworks:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Sage 1210 » Version: N/A
When used together with: Schneider-electric » Sage 1230 » Version: N/A
When used together with: Schneider-electric » Sage 1250 » Version: N/A
When used together with: Schneider-electric » Sage 1310 » Version: N/A
When used together with: Schneider-electric » Sage 1330 » Version: N/A
When used together with: Schneider-electric » Sage 1350 » Version: N/A
When used together with: Schneider-electric » Sage 1410 » Version: N/A
When used together with: Schneider-electric » Sage 1430 » Version: N/A
When used together with: Schneider-electric » Sage 1450 » Version: N/A
When used together with: Schneider-electric » Sage 2200 » Version: N/A
When used together with: Schneider-electric » Sage 2400 » Version: N/A
When used together with: Schneider-electric » Sage 3030 » Version: N/A
When used together with: Schneider-electric » Sage 3030 Magnum » Version: N/A
Windriver » Vxworks
Versions from including (>=) 6.9 and before (<) 6.9.4.4
cpe:2.3:o:windriver:vxworks:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Sage 1210 » Version: N/A
When used together with: Schneider-electric » Sage 1230 » Version: N/A
When used together with: Schneider-electric » Sage 1250 » Version: N/A
When used together with: Schneider-electric » Sage 1310 » Version: N/A
When used together with: Schneider-electric » Sage 1330 » Version: N/A
When used together with: Schneider-electric » Sage 1350 » Version: N/A
When used together with: Schneider-electric » Sage 1410 » Version: N/A
When used together with: Schneider-electric » Sage 1430 » Version: N/A
When used together with: Schneider-electric » Sage 1450 » Version: N/A
When used together with: Schneider-electric » Sage 2200 » Version: N/A
When used together with: Schneider-electric » Sage 2400 » Version: N/A
When used together with: Schneider-electric » Sage 3030 » Version: N/A
When used together with: Schneider-electric » Sage 3030 Magnum » Version: N/A
Windriver » Vxworks
Versions from including (>=) 6.8 and before (<) 6.8.3
cpe:2.3:o:windriver:vxworks:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Sage 1210 » Version: N/A
When used together with: Schneider-electric » Sage 1230 » Version: N/A
When used together with: Schneider-electric » Sage 1250 » Version: N/A
When used together with: Schneider-electric » Sage 1310 » Version: N/A
When used together with: Schneider-electric » Sage 1330 » Version: N/A
When used together with: Schneider-electric » Sage 1350 » Version: N/A
When used together with: Schneider-electric » Sage 1410 » Version: N/A
When used together with: Schneider-electric » Sage 1430 » Version: N/A
When used together with: Schneider-electric » Sage 1450 » Version: N/A
When used together with: Schneider-electric » Sage 2200 » Version: N/A
When used together with: Schneider-electric » Sage 2400 » Version: N/A
When used together with: Schneider-electric » Sage 3030 » Version: N/A
When used together with: Schneider-electric » Sage 3030 Magnum » Version: N/A
Windriver » Vxworks » Version: 6.6.3 Cert Edition
cpe:2.3:o:windriver:vxworks:6.6.3:*:*:*:cert:*:*:*
Matching versions
When used together with: Schneider-electric » Sage 1210 » Version: N/A
When used together with: Schneider-electric » Sage 1230 » Version: N/A
When used together with: Schneider-electric » Sage 1250 » Version: N/A
When used together with: Schneider-electric » Sage 1310 » Version: N/A
When used together with: Schneider-electric » Sage 1330 » Version: N/A
When used together with: Schneider-electric » Sage 1350 » Version: N/A
When used together with: Schneider-electric » Sage 1410 » Version: N/A
When used together with: Schneider-electric » Sage 1430 » Version: N/A
When used together with: Schneider-electric » Sage 1450 » Version: N/A
When used together with: Schneider-electric » Sage 2200 » Version: N/A
When used together with: Schneider-electric » Sage 2400 » Version: N/A
When used together with: Schneider-electric » Sage 3030 » Version: N/A
When used together with: Schneider-electric » Sage 3030 Magnum » Version: N/A
Windriver » Vxworks » Version: 6.6.4 Cert Edition
cpe:2.3:o:windriver:vxworks:6.6.4:*:*:*:cert:*:*:*
Matching versions
When used together with: Schneider-electric » Sage 1210 » Version: N/A
When used together with: Schneider-electric » Sage 1230 » Version: N/A
When used together with: Schneider-electric » Sage 1250 » Version: N/A
When used together with: Schneider-electric » Sage 1310 » Version: N/A
When used together with: Schneider-electric » Sage 1330 » Version: N/A
When used together with: Schneider-electric » Sage 1350 » Version: N/A
When used together with: Schneider-electric » Sage 1410 » Version: N/A
When used together with: Schneider-electric » Sage 1430 » Version: N/A
When used together with: Schneider-electric » Sage 1450 » Version: N/A
When used together with: Schneider-electric » Sage 2200 » Version: N/A
When used together with: Schneider-electric » Sage 2400 » Version: N/A
When used together with: Schneider-electric » Sage 3030 » Version: N/A
When used together with: Schneider-electric » Sage 3030 Magnum » Version: N/A
Windriver » Vxworks » Version: 6.6.4.1 Cert Edition
cpe:2.3:o:windriver:vxworks:6.6.4.1:*:*:*:cert:*:*:*
Matching versions
When used together with: Schneider-electric » Sage 1210 » Version: N/A
When used together with: Schneider-electric » Sage 1230 » Version: N/A
When used together with: Schneider-electric » Sage 1250 » Version: N/A
When used together with: Schneider-electric » Sage 1310 » Version: N/A
When used together with: Schneider-electric » Sage 1330 » Version: N/A
When used together with: Schneider-electric » Sage 1350 » Version: N/A
When used together with: Schneider-electric » Sage 1410 » Version: N/A
When used together with: Schneider-electric » Sage 1430 » Version: N/A
When used together with: Schneider-electric » Sage 1450 » Version: N/A
When used together with: Schneider-electric » Sage 2200 » Version: N/A
When used together with: Schneider-electric » Sage 2400 » Version: N/A
When used together with: Schneider-electric » Sage 3030 » Version: N/A
When used together with: Schneider-electric » Sage 3030 Magnum » Version: N/A
Windriver » Vxworks » Version: 7.0
cpe:2.3:o:windriver:vxworks:7.0:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Sage 1210 » Version: N/A
When used together with: Schneider-electric » Sage 1230 » Version: N/A
When used together with: Schneider-electric » Sage 1250 » Version: N/A
When used together with: Schneider-electric » Sage 1310 » Version: N/A
When used together with: Schneider-electric » Sage 1330 » Version: N/A
When used together with: Schneider-electric » Sage 1350 » Version: N/A
When used together with: Schneider-electric » Sage 1410 » Version: N/A
When used together with: Schneider-electric » Sage 1430 » Version: N/A
When used together with: Schneider-electric » Sage 1450 » Version: N/A
When used together with: Schneider-electric » Sage 2200 » Version: N/A
When used together with: Schneider-electric » Sage 2400 » Version: N/A
When used together with: Schneider-electric » Sage 3030 » Version: N/A
When used together with: Schneider-electric » Sage 3030 Magnum » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2015-3963

EPSS FAQ

3.73%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 87 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-3963

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.8	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:P	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2015-3963

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-3963

http://www.securitytracker.com/id/1033181

VxWorks Predictable TCP Sequence Number Generation Lets Remote Users Deny Service or Spoof Connections - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securitytracker.com/id/1032730

Schneider Electric SAGE Remote Terminal Unit Predictable TCP Sequence Numbers Let Remote Users Spoof TCP Connections - SecurityTracker
Third Party Advisory;VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-15-169-01

Wind River VXWorks TCP Predictability Vulnerability in ICS Devices (Update B) | CISA
Third Party Advisory;US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-15-169-01A

Wind River VXWorks TCP Predictability Vulnerability in ICS Devices (Update B) | CISA
Third Party Advisory;US Government Resource
http://www.schneider-electric.com/ww/en/download/document/SEVD-2015-162-01

Schneider Electric
Patch;Third Party Advisory
http://www.securityfocus.com/bid/75302

Wind River VxWorks CVE-2015-3963 Predictable TCP Initial Sequence Security Bypass Vulnerability
Third Party Advisory;VDB Entry
https://security.netapp.com/advisory/ntap-20160324-0001/

CVE-2015-3963 VxWorks Vulnerability impacting NetApp E-Series/EF-Series SANtricity OS Controller Firmware | NetApp Product Security
Third Party Advisory

Jump to

Vulnerability Details : CVE-2015-3963

Products affected by CVE-2015-3963

Exploit prediction scoring system (EPSS) score for CVE-2015-3963

CVSS scores for CVE-2015-3963

CWE ids for CVE-2015-3963

References for CVE-2015-3963