Vigil@nce - Wind River VxWorks: guessable TCP sequence numbers
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can guess the TCP sequence number of the Wind River
VxWorks IP stack, in order to kill connections or hijack them.
Impacted products: VxWorks.
Severity: 2/4.
Creation date: 19/06/2015.
DESCRIPTION OF THE VULNERABILITY
The Wind River VxWorks product includes an IP stack.
The synchronization of the endpoint hosts about the TCP exchange
status is based on sequence numbers included in the TCP packets.
However, the sequence numbers selected by the IP stack of VxWorks
are guessable. An attacker that can guess them can, without
needing to intercept the normal traffic, close the connection of
insert its own packets in the connection, for instance after the
authentication phase.
An attacker can therefore guess the TCP sequence number of the
Wind River VxWorks IP stack, in order to kill connections or
hijack them.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Wind-River-VxWorks-guessable-TCP-sequence-numbers-17181