After a fair amount of soul searching and delay, Digital Bond is finally releasing our iccpsic tool set to subscribers who are vetted asset owners.
This was a difficult decision because this tool set will crash vulnerable ICCP servers. It was what we developed and used to find a number of ICCP protocol implementation vulnerabilities, including [...]

A bit of confusion yesterday as two LiveData vulnerabilities were independently published on the same day. What are the odds on this?
The first was a US-CERT Vulnerability Note on a vulnerability in the COTP implementation discovered by Matt Franz while he was at Digital Bond. A malformed COTP packet causes the LiveData ICCP server to [...]

This is an interesting case study post for most readers and important for ICCP users.
In 2006, Matt Franz at Digital Bond discovered a vulnerability in the SISCO stack used in a large percentage of ICCP servers. Following our responsible disclosure process, we reported this to the vendor and US-CERT /CERT. On January 17, 2007, US-CERT [...]

It is interesting watching the system work from the researcher perspective and see the responses and time line. This was one of the first vulnerabilities that we processed through our vulnerability disclosure policy. Matt identified this in late February and it went to US-CERT and CERT/CC in early March. While nine months may seem like [...]

A while back I blogged a bit about one of the plugins we wrote for for Nessus. Here I’ll add some screenshots that better show how it might be used.
By clicking port 102 we can quickly see all the ICCP server on our network and which have security holes and notes. We can then drill [...]

Although we showed screenshots several weeks back, we haven’t showed any scan output yet for the SCADA Nessus Plugins we’ve been developing with Tenable.
For this one I’m just running this from the command line, but this is what would show up the Nessus Scan report if the ICCP Server detection plugin successfully found an ICCP [...]

US-CERT released Vulnerability Note VU#190617: LiveData ICCP Server heap buffer overflow today after a number of months of “vendor coordination.”
I won’t go beyond the technical details in the VU, but to recap the highlights:

This is a protocol implementation flaw in RFC 1006, not in the inherent security of the protocol, ICCP or RFC 1006.
A remote [...]

When thinking about protocol security one of the commmon threats to consider is a “replay attack.” However in most cases the discussion is largely Academic.
Since tcpreplay actually does not replay application layer traffic, but PCAP files (basically link layer traffic with a small header) and last summer when I looked at flowreplay, it didn’t seem [...]

We have issued a minor update to two ICCP rules, 1111404 and 1111405. These rules are related to the MMS layer. The new rules eliminate a small number of false negatives that were based on a specific implementation and a typical write request. The new rules also should lessen the number of false positives because [...]

For some folks, the OSI Reference Model is just something we have read about in standards documents (or memorized the seven layer model for a certification exam or a job interview) but never actually used in the real world. This was true for me until I started looking at ICCP. (To be completely honest, I [...]