saf safeguar arding ng civilizat ation
play

SAF SAFEGUAR ARDING NG CIVILIZAT ATION RIPPLE20: WHAT YOU NEED - PowerPoint PPT Presentation

I N I N D U S T R I A I A L C O N T R O L S Y S T E M E M S C Y B E R E R S E C E C U R I T I T Y SAF SAFEGUAR ARDING NG CIVILIZAT ATION RIPPLE20: WHAT YOU NEED TO KNOW REID WIGHTMAN & KATE VAJDA Vulnerability Researchers Reid


  1. I N I N D U S T R I A I A L C O N T R O L S Y S T E M E M S C Y B E R E R S E C E C U R I T I T Y SAF SAFEGUAR ARDING NG CIVILIZAT ATION RIPPLE20: WHAT YOU NEED TO KNOW REID WIGHTMAN & KATE VAJDA

  2. Vulnerability Researchers Reid Wightman Kate Vajda • Principal Vulnerability Analyst • Senior Vulnerability Analyst • Embedded systems • Sys & network admin • Lead exploitation • Penetration tester & Does the hard work • • Tags along Fancy home lab Growing home lab • • 2

  3. What you need d to know Devices Impacted Devices that rely on the Treck TCP/IP stack JSOF’ JS F’s Fi Findings gs: Prevention Strategy ht https://www. www.jso sof-te tech.c .com om/ri /ripple2 e20/ Strategies for blocking malicious targeting Key takeaways for the following: Mitigation Tactics Strategies for mitigating the risks associated Research Implications What this means for the community 3

  4. Vulnerabilities identified in Treck TCP/IP Stack JSOF Research Team White Paper Vendor Coordination Device identification § Released with demo § Several vendors list which § Embedded systems with § Focused on 2/19 vulns devices are affected, more no native IP stack § Not so easy to detect all identified importantly; § JSOF talk tomorrow (8/5) § How they are affected vulns (see ‘fixed dates’ in § DoS or RCE? at BlackHat JSOF advisory) § Many CPU and even ‘overall device’ architectures

  5. Th The Bugs gs • “Treck TCP/IP” stack is really an IP stack • The ‘big’ bugs (3) include memory corruption as outcome • The ‘more minor’ (16) bugs result in out-of-bound reads/memory leaks • Impacts vary by devices, some bugs fixed/semi-fixed years ago according to JSOF

  6. De Devices wi with Tre Treck TC TCP/IP IP stack Each device needs to Storage Devices be investigated Medical Printers Devices Switches Devices and Power Supplies systems include: Wireless Sensors Modules Control RTOS Servers Relays Remote Terminal Units 6 6

  7. De Device ices Tested APC SmartUPS Network-controlled uninterruptable power supply A s A subset o of d device ces a affect cted; t these a are cu currently part of our research ch for Digi Connect Wi ME 9210 Ripple2 Ri e20 vulner erabilities es. Embedded wireless network interface SCADAPACK 32P RTU These devices live in our home labs Programmable remote terminal unit ABB REF615 Feeder protection and control device 7

  8. Ge Generic c PL PLC Archit itec ecture Sensors/Sensor Data Actuators Input Module Processing Unit Output Module (with CPU) (Control Logic / Protection Logic) (with CPU) Network Card [Optional] (with CPU) Serial/Direct Connection Ripple20 bugs live here Data Collection Programming Systems PC

  9. Ge Generally, Et Ethernet processors

  10. De Deep d dive i int nto AP APC S SmartUPS • Devices inspected: Smart-UPS with 963X-series Ethernet cards • Cards run uC/OS-II operating system with Treck stack on an ASIC (x86-ish – possibly RDC C62xx-series DSP) • Cards communicate with UPS board, including ‘lights out’ type management (more later)

  11. De Deep d dive i int nto AP APC Sm Smar artU tUPS 11

  12. De Deep d dive i int nto AP APC S SmartUPS • 963X cards support: • SNMP • BACnet • Modbus/TCP • BACnet allows ‘shutting the UPS off’ by design • Modbus/TCP allows poweroff on SOME UPS models (not SmartUPS though)

  13. De Deep d dive i int nto AP APC S SmartUPS

  14. De Deep d dive i int nto AP APC S SmartUPS

  15. De Deep d dive i int nto AP APC S SmartUPS

  16. De Deep d dive i int nto AP APC Sm Smar artU tUPS

  17. De Deep d dive i int nto AP APC Sm Smar artU tUPS AP963X Network Card Smart-UPS Ethernet CAN CAN relays BACnet Modbus/TCP SNMP RMS 17

  18. De Deep d dive i int nto AP APC S SmartUPS • Summary: • Crashing the 963x != disabling UPS protection • Remotely powering off/on UPS is a design feature of BACnet (all models) and Modbus (some models) • Actually exploiting the bug to poweroff device requires RE, learning CAN commands (or, calling the firmware funcs) • Before freaking out, keep these things in mind

  19. Sh Shal allow di dive ve into to Di Digi C Conne nnect W Wi M ME 9 9210 Serial converter requires device maker to modify firmware • Device has an ARM processor running “NET+OS” • Default firmware provides access to UDP/2362 (Digi Discovery Protocol) • Only device (so far) reported to be vulnerable to CVE-2020-11896 for RCE • h/t to Finite State for walking us through device firmware •

  20. De Deep d dive i int nto Di Digi C Conne nnect W Wi M ME 9 9210 Wi-Me 9210 Industrial Product Ethernet Serial Serial I/O (more likely): User-written ICS Direct serial Protocols protocol access

  21. De Deep d dive i int nto Sc Schneide der El Electr tric SCA SCADAPac ack RT RTU • All SCADAPack 32 RTUs affected • Device inspected: SCADAPack 32 P4 • Runs on SH-3 CPU/Unknown OS • Logic and Ethernet on one set of firmware

  22. De Deep d dive i int nto Sc Schneide der El Electr tric SCA SCADAPac ack RT RTU

  23. De Deep d dive i int nto Sc Schneide der El Electric SCA SCADAPac ack RT RTU SH-3 (Main Processor) IO Boards Ethernet Unknown Unknown I/O (ISA) Other protocols. Modbus/TCP Really, who cares, Project access because <——

  24. De Deep d dive i int nto Sc Schneide der El Electr tric SCA SCADAPac ack RT RTU Logic transfer done using Modbus/TCP (proprietary function code) No security on project transfer Check out our device à

  25. De Deep d dive i int nto Sc Schneide der El Electr tric SCA SCADAPac ack RT RTU Modbus TCP (TCP/502) Modbus RTU (UDP/49152) Modbus ASCII (UDP/49153) DNP requires activation (TCP/20000 and UDP/20000)

  26. De Deep d dive i int nto AB ABB R REF61 615 - Odd hybrid network architecture - CPU looks like a PowerQUICC (haven’t got the main board out yet though!) - Ethernet appears to be a separate board, but…

  27. De Deep d dive i int nto AB ABB R REF61 615

  28. De Deep d dive i int nto AB ABB R REF61 615 PTP Chip REF615 Network Card REF615 Controller Board REF615 Controller Board Ethernet Passthrough Passthrough Serial Serial Raw I/O Modbus/TCP DNP3 61850 PTP

  29. De Deep d dive i int nto AB ABB R REF61 615 - One of the more worrisome vulnerable products, strangely - Protection logic is updated via FTP - Crashing device may impact ability to protect against electrical issues, memory leaks actually useful - No immediate impact from this loss, but as part of a coordinated effort…could be bad

  30. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Opto22 SNAP-PAC-S1: all versions Coldfire / Motorola CPU Also same processing

  31. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1

  32. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Opto-22 IO Module Ethernet Serial? Serial? I/O Direct memory Other protocols. access Really, who cares, (IEEE-1394 over because TCP) <—— 32

  33. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Direct memory access, the software even gives you the addresses!

  34. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Device can be restarted through OptoMMP protocol, no authentication necessary.

  35. Deep d De dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Ports open : FTP (TCP/21) • • OptoMMP (TCP/2001) SNMP (UDP/161) • • Use IP filters Direct memory access •

  36. Impact Summary Device Loss of View Loss of Control Notes APC Smart-UPS Total ‘Soft’ loss Configurable to allow unauth control Wi-ME 9210 Total N/A (in most systems, ‘Soft’) SCADAPack Total ‘Hard’ loss Insecure by Design Opto22 Total ‘Hard’ loss Insecure by Design REF615 Total ‘Hard’ loss Device has actual security 36

  37. Current detection strategy for Ripple20 Active Reversing Passive § Scanning for vulnerable § Passive signatures (Dragos § Firmware static analysis devices (OS Platform!) for incorporated functions § Suricata: § Verify vulnerability fingerprinting) https://github.com/LubyRuffy/Finge https://github.com/CERTCC/PoC- Exploits/blob/master/vu- rPrinting-Ripple20 257161/vu-257161.rules § Nmap too § Zeek rules: https://github.com/corelight/ri pple20

  38. Prevention Strategy Block IP-over-IP Restricts the easy ‘denial of service’ vuln Three severe vulnerabilities are blocked by preventing IP-over-IP, IPv6, and DNS. Block or restrict DNS The remaining vulns are less severe, If absolutely required, configure and are blocked by restricting ICMP, control systems DNS servers to only allow forwarding of your domain 6to4, DHCP; however in most ICS these requests remaining vulns are not useful to an attacker. Restrict other services Majority of vulns are in DNS, DHCP, and ICMP processing. Most are memory leaks, which are not as useful to ICS attackers. 38

Recommend


More recommend