Zuken Elmic KASAGO uses insufficient random values for TCP Initial Sequence Numbers


Zuken Elmic KASAGO, TCP/IP protocol stack for embedded systems, uses its own random number generator function when generating TCP initial sequence numbers, which leads to use insufficient random values (CWE-330).

Zuken Elmic reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.9 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
Affected Products

  • KASAGO IPv4 prior to Ver6.0.1.34
  • KASAGO IPv4 Light prior to Ver6.0.1.34
  • KASAGO IPv6/v4 Dual prior to Ver6.0.1.34
  • KASAGO mobile IPv6 prior to Ver6.0.1.34


TCP initial sequence numbers may be derived; and ongoing TCP sessions may be hijacked or future TCP sessions may be spoofed.

[Update The Software]
Update to the latest version according to the information provided by the developer.
The developer states that this issue is fixed on Ver6.0.1.34.

Vendor Information

Panasonic Corporation ZUKEN ELMIC,INC
CWE (What is CWE?)

  1. Use of Insufficiently Random Values(CWE-330) [Other]
CVE (What is CVE?)

  1. CVE-2022-43501

  1. JVN : JVNVU#99551468
Revision History

  • [2023/02/13]
      Web page was published