Reading between the lines of VU#144233
I’m a week or two late on this, but I think that the community as a whole has paid far too little attention to the advisory released a few weeks ago by the folks at C4/CERT, and the response to them by Rockwell. Full disclosure, I have not personally verified these findings as we don’t have a Micrologix device in our lab, but trusting CERT for basic details is usually fine.
Let me start off by saying that I really don’t have a problem with poor security if you aren’t trying to be secure. If a trade off has been made for usability, safety requirements, or something else, then that is the prerogative of the business and those in charge of keeping its processes going. While I believe its usually a misguided choice, at least its a choice. What does bother me are security features that provide a false sense of security.
Which brings us back to the advisory. Specifically the line:
“During the authentication process, the PLC transmits the management password in plain text to the client.”
The user attempting to authenticate to the device is sent the password, in plain text no less, that they need to respond with to authenticate. That’s bad. The authentication model of the device relies on the users being nice enough to use the provided client software. This is client side authentication at its worst, and I would have thought that a professional developer with any sort of training, or experience, would have realized that that is poor design and something that should never be used.
But why should we even care about this when most devices like this don’t have any sort of authentication built in at all? Because it misleads the end user as to what their security expectations should be for the device. It could lead to opening up a hole in their firewall, allowing access from anywhere on the corporate or the control network. It requires authentication so that would be fine, right?
But it doesn’t end there, the gap between any sort of security understanding and this vendor is even more evident in their response to these vulnerabilities, contending that it would take a “highly skilled, unauthorized person, using specific tools to intercept the controller password.” Highly skilled to examine the network traffic directed at their system? And use specific tools? What does that even mean? Isn’t any given tool a specific tool? Sounds like someones PR/marketing department is a little too involved in the disclosure process. And I’m still scratching my head over the workaround advice to change the password frequently.
Vulnerabilities like this give a glimpse into the security education and development process inside the company walls, and what we’re all seeing isn’t pretty. We’ve been pushing for a while that operators and vendors alike raise the bar of security expectations in control systems, but issues like this, which are poorly thought out at best and intentionally misleading at worst, is not the way to do it.
Author: Daniel Peck
Posted: February 8th, 2010 under Uncategorized.
Comments: 2
Comments
Comment from Ralph Langner
Time: February 8, 2010, 7:09 am
Client-side authentication seems to be popular in this area and is usually justified by low computing resources on the target system bla bla bla. I agree with Daniel’s assessment and would like to add another problem. The user (or admin) THINKS this connection is secure because it is authenticated. This might lead to quite insecure architectures and use cases. We have seen this with another product from another vendor that comes with an “authenticated” web server for basic HMI. Authentication is done at the client side, with the server transmitting ALL configured accounts and passwords over the network (not plain text, but with some kindergarten-level XOR “encryption”). What this vendor doesn’t tell the customer is that the connection can be used not only for HMI but for HTTP-tunneling the engineering protocol. All this via port 80. And all this while the user believes everything’s secure because the link is “authenticated”.
Comment from Matt Franz
Time: February 8, 2010, 8:20 pm
This is a very odd CERT advisory, lmuch ike the C4 advisory. Reading the Q&A links (countermeasures) on the Rockwell site, what I find curious is this reads like a design flaw in Ethernet/IP. And If this is the case why wouldn’t other implementations (ControlLogix and non-AB) be “vulnerable?”
But I think your inferences into RA development are a bit of a reach as I would guess you are dealing with 10-15 year old designs, where (like Ralph says) this sort of client side “authentication” is pretty common. Most vendor advisories are essentially putting “lipstick on a pig” so claims about attack difficulty are generally fairly laughable.
I’m sure there are some bugs in there somewhere (although there are no fixes, so maybe not) this whole advisory smells like issuing an advisory for a product that uses Telnet, but I guess we’ll never know.
Write a comment