This is an interesting case study post for most readers and important for ICCP users.

In 2006, Matt Franz at Digital Bond discovered a vulnerability in the SISCO stack used in a large percentage of ICCP servers. Following our responsible disclosure process, we reported this to the vendor and US-CERT /CERT. On January 17, 2007, US-CERT issued a vulnerability note and SISCO has a newer version of the stack that does not have this vulnerability.

So let’s assume the SISCO has done what they have discussed in public forums like PCSF and contacted all their customers with support contracts (this leaves the issue open about users without support contracts, a hot topic in responsible disclosure). This only addresses a small portion of the deployed vulnerable stack.

SISCO’s ICCP stack is widely used by ICCP server vendors including some of the big ones such as Areva and Siemens. Matt estimated a 70% market share for that stack, and I would estimate it is certainly over 50%.

The problem #1: SISCO has no way of knowing how to contact customers that have purchased non-SISCO branded ICCP servers that use the ICCP stack. How many of these vendors are going through the trouble to provide a patch or upgrade path to the fixed SISCO stack? How many are going to proactively contact customers?

The problem #2: Most ICCP users have no idea that the SISCO stack is in their ICCP server. Even if they read the vulnerability note it does list any of the large number of vendors that use the SISCO stack. On a side note, the information in the US-CERT note is correct, but the information in Security Focus and other sites about which versions are affected is wrong as it has been in most of the vulnerabilities we have identified.

This is a great example where a Nessus plugin can help identify vulnerable ICCP servers. We wrote the SISCO OSI Stack Malformed Packet Remote Denial of Service Vulnerability plugin, number 24725, and it was released into Tenable’s Direct Feed today. You can now scan your ICCP server and find out if you are affected by this vulnerability. If you are and you have not heard from your ICCP vendor, it is time to put some pressure on them to get their act together on vulnerability disclosure, at least to supported customers.

All SCADA plugins are delivered to Nessus users encrypted. So an attacker cannot see the NASL code and uncover the vulnerability information. Another important point is the plugin does not implement the DoS attack. The plugin checks what version is running and compares that to the known vulnerable version list.

Finally, I have to give some praise to SISCO. We have had the sometime rocky relationship that exists between a vendor and researcher, but after some discussions they stepped forward and provided the information to write an accurate plugin. If they didn’t do this the plugin would have only identified the vulnerable versions we had tested in our lab which was a small subset - - leading to false negatives. Another point in SISCO’s favor is they fixed the problem which is often not the response we get from vendors.