Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Fri, 11 Dec 1998 10:45:46 -0500 (EST)  
From: X-Force <xforce@iss.net>  
To: alert@iss.net  
Cc: X-Force <xforce@iss.net>  
Subject: ISSalert: ISS Security Advisory: ICMP Redirects Against Embedded Controllers  
ISS Security Advisory  
December 10, 1998  
ICMP Redirects Against Embedded Controllers  
***** WARNING *****  
This advisory pertains to an indeterminant class of networked embedded  
controllers and processors. Because embedded controllers are found in a  
wide variety of automation equipment, manufacturing equipment, HVAC  
(Heating, Ventilation, and Air Conditioning) equipment, and medical  
equipment, this vulnerability has the possibility of affecting human  
health and safety.  
One or more operating systems, popular for use in intelligent embedded  
controllers or PLCs (Programmed Logic Controllers), may have network  
protocol stacks which are vulnerable to certain classes of ICMP Redirect  
attacks. Vulnerable controllers are prone to hang or shutdown shortly  
after receiving the attacking packets. The failure can extend even to  
their non-network functionality and can cause the controlled equipment to  
fail. There exists a significant possibility of the controlled equipment  
being left in a non-safe or inoperable condition, possibly leading to  
physical damage.  
Determining If You Are Vulnerable:  
It can be difficult to reliably determine the type of embedded OS in use  
on particular embedded controllers, or to positively ascertain which  
controllers are vulnerable without directly executing the attack.  
Unfortunately, executing the attack also creates the potential of causing  
a failure in the controller.  
Some versions of the OS-9 operating system are known to be affected by  
this vulnerability. OS-9 is a popular operating system used in many  
embedded processors, intelligent automation controllers, and programmed  
logic controllers (PLCs). It has not been determined whether or not all  
versions of OS-9 are affected. Whether other embedded controller  
operating systems are affected also remains undetermined at this time.  
Microware, the developer and supplier of OS-9, has been informed of the  
A list of specific brands of embedded controllers are not being released  
at this time specifically to avoid the implication that any brands NOT on  
the list are not vulnerable or that all models or versions of any   
particular brand either are or are not vulnerable.  
Units which have not been tested for this vulnerability, or have not be  
certified as safe by the manufacturer, should be treated as if vulnerable  
until proven or certified safe.  
Where at all possible, do not permit equipment utilizing embedded   
controllers to be connected to a general-purpose TCP/IP network.  
Where network connectivity is required, isolate all embedded controller  
nodes to specific subnets with routers configured to block all ICMP  
redirect traffic.  
When possible, controllers should be tested for ICMP redirect   
vulnerabilities. Testing of any units must assume that the unit may fail  
in a non-safe condition. Testing should only take place under conditions  
which would not result in unsafe operation of the controlled equipment or  
damage to the equipment or personnel. Vulnerable units should be isolated  
>from the network, upgraded by the manufacturer, or replaced with units  
which are not vulnerable.  
Vulnerable units should not be permitted to control equipment engaged in  
any activities related to human health and safety. Vulnerable units also  
should not control equipment which might be damaged should the controller  
fail without warning.  
All routers and gateways should be configured to prohibit propagation of  
ICMP redirect packets. The routine use of ICMP redirects outside of the  
local subnet is extremely limited in normal practice. The cost of  
completely prohibiting the propagation of ICMP redirects between networks  
or subnets is minimal when compared against the damage which can be caused  
by these failures.  
Additional Information:  
This vulnerability was primarily researched by Michael H. Warfield of the  
ISS X-Force.   
Copyright (c) 1998 by Internet Security Systems, Inc.  
Permission is hereby granted for the redistribution of this alert   
electronically. It is not to be edited in any way without express consent  
of X-Force. If you wish to reprint the whole or any part of this alert in  
any other medium excluding electronic medium, please email xforce@iss.net  
for permission.  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties with regard to this information. In no event shall the  
author be liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html  
as well as on MIT's PGP key server and PGP.com's key server.  
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce  
Please send suggestions, updates, and comments to: X-Force  
<xforce@iss.net> of Internet Security Systems, Inc.  
Version: 2.6.3a  
Charset: noconv  
Date: Tue, 22 Dec 1998 13:16:47 +0000  
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>  
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>  
To: BUGTRAQ@netspace.org  
Subject: Re: your mail  
> It should be pointed out here that ICMP redirects are not the only  
> kinds of attacks which can be carried out against these devices.  
> Our wonderful denial of service friends land, nestea, nestea2, et al,  
> can wreak havoc on these devices as well.  
> Your best bet as a user of these devices is to impose very restrictive  
> filters, or insure that these systems are not vulnerable to all  
> of the attacks against IP stacks that have been discovered.  
A very large number of these embedded devices run the same two or three  
tcp stacks. Several of them hang when fed a zero length IP option (old  
KA9Q based). The other thing is nestea/nestea2 can be a pain. The tools  
may deliver them UDP but they can equally be delivered tcp at port 80,  
or the lpd port or other similar. This makes it quite hard to firewall  
Finally some impromptu testing with third parties indicates that the  
'all embedded boxes have crashable tcp' theory extends to most of the  
beta/just being rolled out set top box internet devices from cable