From xforce@iss.net Fri Dec 11 16:08:40 1998
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Fri, 11 Dec 1998 10:45:46 -0500 (EST)
Subject: ISSalert: ISS Security Advisory: ICMP Redirects Against Embedded Controllers

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
December 10, 1998

ICMP Redirects Against Embedded Controllers


***** WARNING *****

This advisory pertains to an indeterminant class of networked embedded
controllers and processors.  Because embedded controllers are found in a
wide variety of automation equipment, manufacturing equipment, HVAC
(Heating, Ventilation, and Air Conditioning) equipment, and medical
equipment, this vulnerability has the possibility of affecting human
health and safety.


Synopsis:

One or more operating systems, popular for use in intelligent embedded
controllers or PLCs (Programmed Logic Controllers), may have network
protocol stacks which are vulnerable to certain classes of ICMP Redirect
attacks.  Vulnerable controllers are prone to hang or shutdown shortly
after receiving the attacking packets.  The failure can extend even to
their non-network functionality and can cause the controlled equipment to
fail.  There exists a significant possibility of the controlled equipment
being left in a non-safe or inoperable condition, possibly leading to
physical damage.


Determining If You Are Vulnerable:

It can be difficult to reliably determine the type of embedded OS in use
on particular embedded controllers, or to positively ascertain which
controllers are vulnerable without directly executing the attack.
Unfortunately, executing the attack also creates the potential of causing
a failure in the controller.

Some versions of the OS-9 operating system are known to be affected by
this vulnerability.  OS-9 is a popular operating system used in many
embedded processors, intelligent automation controllers, and programmed
logic controllers (PLCs).  It has not been determined whether or not all
versions of OS-9 are affected.  Whether other embedded controller
operating systems are affected also remains undetermined at this time.

Microware, the developer and supplier of OS-9, has been informed of the
problem.

A list of specific brands of embedded controllers are not being released
at this time specifically to avoid the implication that any brands NOT on
the list are not vulnerable or that all models or versions of any 
particular brand either are or are not vulnerable.

Units which have not been tested for this vulnerability, or have not be
certified as safe by the manufacturer, should be treated as if vulnerable
until proven or certified safe.

Recommendations:

Where at all possible, do not permit equipment utilizing embedded 
controllers to be connected to a general-purpose TCP/IP network.

Where network connectivity is required, isolate all embedded controller
nodes to specific subnets with routers configured to block all ICMP
redirect traffic.

When possible, controllers should be tested for ICMP redirect 
vulnerabilities.  Testing of any units must assume that the unit may fail
in a non-safe condition.  Testing should only take place under conditions
which would not result in unsafe operation of the controlled equipment or
damage to the equipment or personnel.  Vulnerable units should be isolated
from the network, upgraded by the manufacturer, or replaced with units
which are not vulnerable.

Vulnerable units should not be permitted to control equipment engaged in
any activities related to human health and safety.  Vulnerable units also
should not control equipment which might be damaged should the controller
fail without warning.

All routers and gateways should be configured to prohibit propagation of
ICMP redirect packets.  The routine use of ICMP redirects outside of the
local subnet is extremely limited in normal practice.  The cost of
completely prohibiting the propagation of ICMP redirects between networks
or subnets is minimal when compared against the damage which can be caused
by these failures.


Additional Information:

This vulnerability was primarily researched by Michael H. Warfield of the
ISS X-Force. 

________

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this alert 
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this alert in
any other medium excluding electronic medium, please email xforce@iss.net
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition.  There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:  http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:  X-Force
<xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNnE90zRfJiV99eG9AQE5iQQApbiLM3IxT/RB7ljsfcveZNXIVnvNaQUb
mpaaWOYVGfhd77UxyfwyHDyoEyoV0eg2tFoIMrGwQlkHKbmqiOcj8wXvuAhtKjxd
tQyMgFcEp/v6O2fBYawmkJIxfYQbxPyJnEpqz4fwZlVyn2ikxEYIC2vOBIj6V2dx
VLADEV4/D7U=
=vuy1
-----END PGP SIGNATURE-----