Embedded devices, especially those designed for long-lived industrial automation, should use a combination of in-house code and third-party code created when software vulnerabilities were not as well understood today. Is known. Significant flaws in unique components that hardware vendors have used extensively for many years have widespread implications. Patching is not always an option.
This is highlighted by the findings of Forescout Research Labs and JFrog Security Research over the past year, which investigated TCP / IP stacks used in various IoT and other embedded systems. This identified key flaws affecting millions of devices in reports such as: Ripple20, NAME: WRECK, NUMBER: JACK or AMNESIA: 33.
Their latest reportIs released today under the name INFRA: HALT and is widely used in operational technology (OT) devices from up to 200 vendors. 14 critical and high-risk vulnerabilities found in its own TCP / IP stack called NicheStack. Covers. These devices include programmable logic controllers (PLCs) such as the Siemens S7. These are components of industrial automation and are used in critical infrastructure sectors.
The TCP / IP stack has a huge attack surface
The TCP / IP stack, or Internet Protocol Suite, consists of implementations of common Internet Protocols such as DNS, HTTP, FTP, ARP, and ICMP. These allow the operating system and its applications to send and receive data over IP networks. Given the large number of protocols supported by these stacks and the amount of data and packet formats they process, they expose critical attack surfaces that can be exploited without authentication.
Industrial control devices traditionally communicated via serial interfaces, but with each passing year they are also equipped with Ethernet interfaces, implicitly populating the TCP / IP stack to allow communication with regular computers and IT devices. It is now equipped. Since many IoT devices these days are running Linux, they use the Linux TCP / IP stack, which has been thoroughly scrutinized by security researchers and Linux kernel developers for over 30 years. However, industrial control devices tend to run their own real-time operating system (RTOS), which uses its own TCP / IP stack with inconsistent version control, custom-made changes, and ownership changes. All of this complicates identifying vulnerable products and ultimately patching.
NicheStack is a TCP / IP stack developed by a company called InterNiche Technologies before 1996 and extended to support new IPv6 technologies in 2003. In 2016, InterNiche Technologies was acquired by another company called HCC Embedded. stack.
“In the last two decades, the stack has been used by OEMs such as STMicroelectronics, Freescale (NXP), Altera (Intel), and Microchip on some (real-time) operating systems or its own simple RTOS. It was distributed in “Flavor”. “Niche Task,” said Forescout researchers in the report. “It also served as the basis for other TCP / IP stacks such as SEGGER’s emNet (formerly embOS / IP).”
Most of the 14 vulnerabilities discovered by Forescout and JFrog researchers are out-of-range memory reads and writes due to buffer overflows and insecure parsing of packets with various protocols. These can be exploited via DNSv4, HTTP, TCP, ICMP, or TFTP, leading to remote code execution (2 vulnerabilities) and denial of service (8 vulnerabilities).
Other flaws result from predictable TCP ISNs, inadequate random DNS transaction IDs, and predictable source port numbers for DNS queries, allowing attacks such as TCP spoofing and DNS cache poisoning. All vulnerabilities affect all versions of NicheStack prior to version 4.3, the latest version available at the time of the investigation.
The two remote code execution flaws are in the DNSv4 and HTTP implementations, rated 9.8 and 9.1 on the CVSS scale, respectively, which means they are significant. Denial of service (DoS) issues are rated with a severity score of 7.5 or 8.2. However, keep in mind that in the context of industrial control systems, the potential impact of DoS issues can be severe, depending on the type of industrial process controlled by the affected device.
For example, to recover from an attack that exploits these vulnerabilities, including DoS, you need to turn the affected device on and off. This means that they have physical access, and Forescout’s Vice President of Research, Elisa Costante, told the CSO. “This really makes it very influential. Imagine if the device is offshore for a substation or oil mining.”
Vulnerability adjustment hell
Disclosure Adjustment INFRA: The HALT vulnerability lasted almost a year, much longer than the 90-day standard for software vulnerabilities. Forescout and JFrog Security Research contacted HCC Embedded in September 2020 about the defect, the CERT Coordination Center (CERT / CC), the Federal Cyber Security Agency (BSI), and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). ) And cooperated. ) This is part of the US Government’s Cyber Security and Infrastructure Security Agency (CISA).
Still, identifying potentially affected devices and vendors is a very difficult and ongoing process. Using SHODAN search engine queries, researchers found about 6,400 publicly accessible devices running NicheStack. Forescout used its own database with millions of device fingerprints to identify 2,500 potentially vulnerable devices from 21 vendors. The most affected industries are process manufacturing, retail and discrete manufacturing. About half of the identified devices were energy and power industry control systems.
However, this is far from the actual impact of these defects. According to researchers, InterNiche’s legacy website, which is no longer online, lists about 200 device vendors as customers, including major OT vendors such as Siemens, Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation, and Schneider Electric. ..
Although only a few vendors offer public advisory, the actual number of affected devices is expected to reach millions, Costante said. “I think this survey has affected the most diverse ICS vendors to date. […] However, there are not so many OT devices that are actually published, so it is a little difficult to get information about them. “
Fore Scout Maintain a list of advisories On GitHub from vendors affected by the TCP / IP stack survey, this list will be updated with a new advisory related to INFRA: HALT.
Visibility is required for mitigation
HCC Embedded has developed patches for vulnerabilities, but they are only available at the request of customers, who are primarily device manufacturers. End users of affected products will have to wait for patches from their respective device manufacturers.
This issue is further complicated by the fact that it is unlikely that all vendors that have integrated this TCP / IP stack into their products over the years, especially smaller vendors, have active contracts with HCC Embedded. Also, some of the affected devices may reach the end of support and you may not be able to get patches.
“Another question is whether asset owners know that patches are available, even if they are available. [affected] “Evaluating risk may not be as easy as it may be because you may not have all of your devices in stock,” said Costante.
Developed by Forescot Open source script Asset owners can use it on the network to discover devices running NicheStack or other TCP / IP stacks. The device has discovered vulnerabilities in the past as part of a large-scale dubbed investigation. Project memorial.. The company has also updated its commercial products to find affected devices and detect exploitation attempts.
Another problem with patch deployment is planning because some of the affected devices control critical or always-on processes in factories and industrial facilities, or are deployed in remote fields. It cannot be shut down and updated immediately without any maintenance. “The mitigation works better than patching the majority of vendors, especially minor vendors,” says Costante.
Forescout provides the following mitigation advice for the INFRA: HALT vulnerability.
- Implement segmentation control and proper network hygiene to mitigate the risk from vulnerable devices. As a mitigation, vulnerable devices can be isolated or contained in zones until the external communication path is restricted and patches cannot be applied or patches are available.
- Monitor progressive patches released by affected device vendors and devise a vulnerable asset inventory remediation plan that balances business risk and business continuity requirements.
- Monitor all network traffic for malicious packets that attempt to exploit known vulnerabilities or potential zero-day attacks. Abnormal forms of traffic should be blocked or at least warned network operators of their existence.
- Disable the DNSv4 client or block DNSv4 traffic if you do not need it. Using an internal DNS server may not be sufficient (an attacker may be able to hijack a request-response match), as some vulnerabilities facilitate DNS spoofing attacks.
- Disable HTTP or whitelist the HTTP connection if you don’t need it.
- Monitors and blocks malformed IPv4 / TCP and ICPMv4 packet traffic.
Copyright © 2021 IDG Communications, Inc.
Serious flaws in a wide range of embedded TCP / IP stacks endanger industrial control devices
https://www.csoonline.com/article/3627595/serious-flaws-in-widespread-embedded-tcp-ip-stack-endanger-industrial-control-devices.html#tk.rss_all Serious flaws in a wide range of embedded TCP / IP stacks endanger industrial control devices