[Japanese]

JVNDB-2023-001215

Zuken Elmic KASAGO uses insufficient random values for TCP Initial Sequence Numbers

Overview

Zuken Elmic KASAGO, TCP/IP protocol stack for embedded systems, uses its own random number generator function when generating TCP initial sequence numbers, which leads to use insufficient random values (CWE-330).

Zuken Elmic reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.9 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
Affected Products


ZUKEN ELMIC,INC
  • KASAGO IPv4 prior to Ver6.0.1.34
  • KASAGO IPv4 Light prior to Ver6.0.1.34
  • KASAGO IPv6/v4 Dual prior to Ver6.0.1.34
  • KASAGO mobile IPv6 prior to Ver6.0.1.34

Impact

TCP initial sequence numbers may be derived; and ongoing TCP sessions may be hijacked or future TCP sessions may be spoofed.
Solution

[Update The Software]
Update to the latest version according to the information provided by the developer.
The developer states that this issue is fixed on Ver6.0.1.34.

Vendor Information

Panasonic Corporation ZUKEN ELMIC,INC
CWE (What is CWE?)

  1. Use of Insufficiently Random Values(CWE-330) [Other]
CVE (What is CVE?)

  1. CVE-2022-43501
References

  1. JVN : JVNVU#99551468
Revision History

  • [2023/02/13]
      Web page was published

Date Public2023/02/10
Date First Published2023/02/13
Date Last Updated2023/05/18