Date: Fri, 11 Dec 1998 10:45:46 -0500 (EST) From: X-Force To: alert@iss.net Cc: X-Force Subject: ISSalert: ISS Security Advisory: ICMP Redirects Against Embedded Controllers -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory December 10, 1998 ICMP Redirects Against Embedded Controllers ***** WARNING ***** This advisory pertains to an indeterminant class of networked embedded controllers and processors. Because embedded controllers are found in a wide variety of automation equipment, manufacturing equipment, HVAC (Heating, Ventilation, and Air Conditioning) equipment, and medical equipment, this vulnerability has the possibility of affecting human health and safety. Synopsis: One or more operating systems, popular for use in intelligent embedded controllers or PLCs (Programmed Logic Controllers), may have network protocol stacks which are vulnerable to certain classes of ICMP Redirect attacks. Vulnerable controllers are prone to hang or shutdown shortly after receiving the attacking packets. The failure can extend even to their non-network functionality and can cause the controlled equipment to fail. There exists a significant possibility of the controlled equipment being left in a non-safe or inoperable condition, possibly leading to physical damage. Determining If You Are Vulnerable: It can be difficult to reliably determine the type of embedded OS in use on particular embedded controllers, or to positively ascertain which controllers are vulnerable without directly executing the attack. Unfortunately, executing the attack also creates the potential of causing a failure in the controller. Some versions of the OS-9 operating system are known to be affected by this vulnerability. OS-9 is a popular operating system used in many embedded processors, intelligent automation controllers, and programmed logic controllers (PLCs). It has not been determined whether or not all versions of OS-9 are affected. Whether other embedded controller operating systems are affected also remains undetermined at this time. Microware, the developer and supplier of OS-9, has been informed of the problem. A list of specific brands of embedded controllers are not being released at this time specifically to avoid the implication that any brands NOT on the list are not vulnerable or that all models or versions of any particular brand either are or are not vulnerable. Units which have not been tested for this vulnerability, or have not be certified as safe by the manufacturer, should be treated as if vulnerable until proven or certified safe. Recommendations: Where at all possible, do not permit equipment utilizing embedded controllers to be connected to a general-purpose TCP/IP network. Where network connectivity is required, isolate all embedded controller nodes to specific subnets with routers configured to block all ICMP redirect traffic. When possible, controllers should be tested for ICMP redirect vulnerabilities. Testing of any units must assume that the unit may fail in a non-safe condition. Testing should only take place under conditions which would not result in unsafe operation of the controlled equipment or damage to the equipment or personnel. Vulnerable units should be isolated >from the network, upgraded by the manufacturer, or replaced with units which are not vulnerable. Vulnerable units should not be permitted to control equipment engaged in any activities related to human health and safety. Vulnerable units also should not control equipment which might be damaged should the controller fail without warning. All routers and gateways should be configured to prohibit propagation of ICMP redirect packets. The routine use of ICMP redirects outside of the local subnet is extremely limited in normal practice. The cost of completely prohibiting the propagation of ICMP redirects between networks or subnets is minimal when compared against the damage which can be caused by these failures. Additional Information: This vulnerability was primarily researched by Michael H. Warfield of the ISS X-Force. ________ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNnE90zRfJiV99eG9AQE5iQQApbiLM3IxT/RB7ljsfcveZNXIVnvNaQUb mpaaWOYVGfhd77UxyfwyHDyoEyoV0eg2tFoIMrGwQlkHKbmqiOcj8wXvuAhtKjxd tQyMgFcEp/v6O2fBYawmkJIxfYQbxPyJnEpqz4fwZlVyn2ikxEYIC2vOBIj6V2dx VLADEV4/D7U= =vuy1 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Date: Tue, 22 Dec 1998 13:16:47 +0000 From: Alan Cox Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: Re: your mail > It should be pointed out here that ICMP redirects are not the only > kinds of attacks which can be carried out against these devices. > > Our wonderful denial of service friends land, nestea, nestea2, et al, > can wreak havoc on these devices as well. > > Your best bet as a user of these devices is to impose very restrictive > filters, or insure that these systems are not vulnerable to all > of the attacks against IP stacks that have been discovered. A very large number of these embedded devices run the same two or three tcp stacks. Several of them hang when fed a zero length IP option (old KA9Q based). The other thing is nestea/nestea2 can be a pain. The tools may deliver them UDP but they can equally be delivered tcp at port 80, or the lpd port or other similar. This makes it quite hard to firewall Finally some impromptu testing with third parties indicates that the 'all embedded boxes have crashable tcp' theory extends to most of the beta/just being rolled out set top box internet devices from cable companies. Alan