From xforce@iss.net Fri Dec 11 16:08:40 1998 From: X-Force To: alert@iss.net Cc: X-Force Date: Fri, 11 Dec 1998 10:45:46 -0500 (EST) Subject: ISSalert: ISS Security Advisory: ICMP Redirects Against Embedded Controllers -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory December 10, 1998 ICMP Redirects Against Embedded Controllers ***** WARNING ***** This advisory pertains to an indeterminant class of networked embedded controllers and processors. Because embedded controllers are found in a wide variety of automation equipment, manufacturing equipment, HVAC (Heating, Ventilation, and Air Conditioning) equipment, and medical equipment, this vulnerability has the possibility of affecting human health and safety. Synopsis: One or more operating systems, popular for use in intelligent embedded controllers or PLCs (Programmed Logic Controllers), may have network protocol stacks which are vulnerable to certain classes of ICMP Redirect attacks. Vulnerable controllers are prone to hang or shutdown shortly after receiving the attacking packets. The failure can extend even to their non-network functionality and can cause the controlled equipment to fail. There exists a significant possibility of the controlled equipment being left in a non-safe or inoperable condition, possibly leading to physical damage. Determining If You Are Vulnerable: It can be difficult to reliably determine the type of embedded OS in use on particular embedded controllers, or to positively ascertain which controllers are vulnerable without directly executing the attack. Unfortunately, executing the attack also creates the potential of causing a failure in the controller. Some versions of the OS-9 operating system are known to be affected by this vulnerability. OS-9 is a popular operating system used in many embedded processors, intelligent automation controllers, and programmed logic controllers (PLCs). It has not been determined whether or not all versions of OS-9 are affected. Whether other embedded controller operating systems are affected also remains undetermined at this time. Microware, the developer and supplier of OS-9, has been informed of the problem. A list of specific brands of embedded controllers are not being released at this time specifically to avoid the implication that any brands NOT on the list are not vulnerable or that all models or versions of any particular brand either are or are not vulnerable. Units which have not been tested for this vulnerability, or have not be certified as safe by the manufacturer, should be treated as if vulnerable until proven or certified safe. Recommendations: Where at all possible, do not permit equipment utilizing embedded controllers to be connected to a general-purpose TCP/IP network. Where network connectivity is required, isolate all embedded controller nodes to specific subnets with routers configured to block all ICMP redirect traffic. When possible, controllers should be tested for ICMP redirect vulnerabilities. Testing of any units must assume that the unit may fail in a non-safe condition. Testing should only take place under conditions which would not result in unsafe operation of the controlled equipment or damage to the equipment or personnel. Vulnerable units should be isolated from the network, upgraded by the manufacturer, or replaced with units which are not vulnerable. Vulnerable units should not be permitted to control equipment engaged in any activities related to human health and safety. Vulnerable units also should not control equipment which might be damaged should the controller fail without warning. All routers and gateways should be configured to prohibit propagation of ICMP redirect packets. The routine use of ICMP redirects outside of the local subnet is extremely limited in normal practice. The cost of completely prohibiting the propagation of ICMP redirects between networks or subnets is minimal when compared against the damage which can be caused by these failures. Additional Information: This vulnerability was primarily researched by Michael H. Warfield of the ISS X-Force. ________ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNnE90zRfJiV99eG9AQE5iQQApbiLM3IxT/RB7ljsfcveZNXIVnvNaQUb mpaaWOYVGfhd77UxyfwyHDyoEyoV0eg2tFoIMrGwQlkHKbmqiOcj8wXvuAhtKjxd tQyMgFcEp/v6O2fBYawmkJIxfYQbxPyJnEpqz4fwZlVyn2ikxEYIC2vOBIj6V2dx VLADEV4/D7U= =vuy1 -----END PGP SIGNATURE-----