Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Embedded Server/Appliance)  >   Schneider Electric SAGE Remote Terminal Unit Vendors:   Schneider Electric
Schneider Electric SAGE Remote Terminal Unit Predictable TCP Sequence Numbers Let Remote Users Spoof TCP Connections
SecurityTracker Alert ID:  1032730
SecurityTracker URL:
CVE Reference:   CVE-2015-3963   (Links to External Site)
Updated:  Aug 4 2015
Original Entry Date:  Jun 26 2015
Impact:   Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): C3412, C3413, C3414 CPUs
Description:   A vulnerability was reported in Schneider Electric SAGE C3412/C3413/C3414 Remote Terminal Units. A remote user can spoof TCP connections in certain cases.

The system generates predictable TCP initial sequence numbers. A remote user that can conduct a man-in-the-middle attack to monitor sequence numbers and then predict future sequence numbers to spoof TCP connections.

The vulnerability resides in the VxWorks TCP stack component.

RTUs using C3412 and C3413 CPU cards are affected.

RTUs using C3414 CPUs with firmware versions prior to C3414-500-S02J2 are affected.

Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech reported this vulnerability.

Impact:   A remote user can spoof TCP connections to gain access to and modify data on the target system.
Solution:   The vendor has issued a fix (C3414-500-S02YZ - Secure Firmware version J2).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Randomization error

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC