COMMAND

    See below

SYSTEMS AFFECTED

    Intelligent embedded controllers or Programmed Logic Controllers

PROBLEM

    Following  is  based  on  ISS  Security  Advisory.   This advisory
    pertains  to   an  indeterminant   class  of   networked  embedded
    controllers  and  processors.   Because  embedded  controllers are
    found in  a wide  variety of  automation equipment,  manufacturing
    equipment,  HVAC  (Heating,  Ventilation,  and  Air  Conditioning)
    equipment,  and  medical  equipment,  this  vulnerability  has the
    possibility of affecting human health and safety.

    One  or  more  operating  systems,  popular for use in intelligent
    embedded controllers or  PLCs (Programmed Logic  Controllers), may
    have  network  protocol  stacks  which  are  vulnerable to certain
    classes  of  ICMP  Redirect  attacks.   Vulnerable controllers are
    prone to hang  or shutdown shortly  after receiving the  attacking
    packets.   The  failure  can  extend  even  to  their  non-network
    functionality  and  can  cause  the  controlled equipment to fail.
    There exists a significant possibility of the controlled equipment
    being  left  in  a  non-safe  or  inoperable  condition,  possibly
    leading to physical damage.

    It can be difficult to reliably determine the type of embedded  OS
    in  use  on  particular  embedded  controllers,  or  to positively
    ascertain  which  controllers  are  vulnerable  without   directly
    executing the  attack.   Unfortunately, executing  the attack also
    creates  the  potential  of  causing  a failure in the controller.
    Some  versions  of  the  OS-9  operating  system  are  known to be
    affected  by  this  vulnerability.   OS-9  is  a popular operating
    system used  in many  embedded processors,  intelligent automation
    controllers, and programmed logic controllers (PLCs).  It has  not
    been determined whether or not all versions of OS-9 are  affected.
    Whether other embedded  controller operating systems  are affected
    also remains undetermined at this time.

    A list of  specific brands of  embedded controllers are  not being
    released at this time  specifically to avoid the  implication that
    any brands NOT on the list  are not vulnerable or that all  models
    or  versions  of  any  particular  brand  either  are  or  are not
    vulnerable.   Units   which  have   not  been   tested  for   this
    vulnerability,  or  have   not  be  certified   as  safe  by   the
    manufacturer, should be treated  as if vulnerable until  proven or
    certified safe.

    A very large number of these embedded devices run the same two  or
    three tcp stacks. Several of them  hang when fed a zero length  IP
    option (old KA9Q based). The other thing is nestea/nestea2 can  be
    a pain. The  tools may deliver  them UDP but  they can equally  be
    delivered tcp at port 80, or  the lpd port or other similar.  This
    makes it quite hard to firewall.

    Finally some impromptu testing  with third parties indicates  that
    the 'all embedded boxes have crashable tcp' theory extends to most
    of the  beta/just being  rolled out  set top  box internet devices
    from cable companies.

SOLUTION

    Microware, the developer and  supplier of OS-9, has  been informed
    of the problem.

    Where at all possible, do not permit equipment utilizing  embedded
    controllers to be connected  to a general-purpose TCP/IP  network.
    Where  network  connectivity  is  required,  isolate  all embedded
    controller nodes  to specific  subnets with  routers configured to
    block  all  ICMP  redirect  traffic.   When  possible, controllers
    should be tested  for ICMP redirect  vulnerabilities.  Testing  of
    any  units  must  assume  that  the  unit  may  fail in a non-safe
    condition.  Testing should only take place under conditions  which
    would not result in  unsafe operation of the  controlled equipment
    or damage to the equipment or personnel.  Vulnerable units  should
    be isolated  from the  network, upgraded  by the  manufacturer, or
    replaced with units  which are not  vulnerable.  Vulnerable  units
    should  not  be  permitted  to  control  equipment  engaged in any
    activities related to human  health and safety.   Vulnerable units
    also should not  control equipment which  might be damaged  should
    the controller fail without warning.

    All  routers  and  gateways  should  be  configured  to   prohibit
    propagation of  ICMP redirect  packets.   The routine  use of ICMP
    redirects  outside  of  the  local  subnet is extremely limited in
    normal  practice.    The  cost  of   completely  prohibiting   the
    propagation  of  ICMP  redirects  between  networks  or subnets is
    minimal when compared  against the damage  which can be  caused by
    these failures.