SISCO OSI stack fails to properly handle malformed packets
From SCADApedia
Certain versions of SISCO's OSI stack, which is used in a number of ICCP servers from SISCO and other vendors, will crash and require a reboot if invalid data is sent to the OSI stack.
Contents |
Vulnerability
Certain versions of SISCO's OSI stack can be crashed by sending invalid data after a COTP connection has been established. A vulnerable ICCP server will typically crash in 15 to 20 seconds and require a system reboot to resume operations.
This attack requires specialized tools and knowledge of the ICCP protocol. To create the required COTP connection to launch the attack, an attacker would first need to implement TPKT, RFC 1006. Then an attacker would need to implement COTP and guess the transport-service-access-point value (TSAP).
This vulnerability was discovered and reported to US-CERT by Matt Franz of Digital Bond.
Affected Systems
SISCO's OSI stack is found in well over 50% of the deployed ICCP servers, many of which are not sold under the SISCO brand. For example, Areva and Siemens ICCP servers rely on the SISCO OSI stack. SISCO has not made public the versions of their product that are vulnerable nor the third party ICCP servers that are using the vulnerable version of their OSI stack. All asset owners with ICCP servers should either contact their vendor or use one of the detection methods to determine if they are vulnerable.
The security in the Secure ICCP protocol adds SSL encryption to the ICCP protocol, but this does not correct the vulnerability. It does limit who can launch the attack to entities able to create the Secure ICCP connection. A Secure ICCP server that relies on Sisco's OSI stack may still be vulnerable.
Impact
ICCP servers are used to pass information between SCADA/EMS systems, often between asset owners. A US bulk electric entity is likely to have ICCP Security Associations with multiple other bulk electric entities. Firewalls and other perimeter security devices must be configured to allow TCP/102, the ICCP port, for authorized ICCP communication.
If an attacker were able to gain access to one electric entity, and the attacker had detailed ICCP knowledge and tools, he would be able to crash all ICCP servers that organization communicates with that have an unpatched Sisco OSI stack.
No efforts were made by Digital Bond to develop exploit code that would provide remote control of the ICCP server since the denial of service was serious enough to warrant patching.
Detection
SISCO has provided the list of OSI stack versions that are vulnerable to Digital Bond. This allowed Digital Bond to write Nessus Plugin 24725 which identifies ICCP servers that require a patch.
Digital Bond site subscribers who are vetted asset owners can obtain the dtfuzz utility that will run the exploit and crash vulnerable ICCP servers.
Remediation
Contact your ICCP server vendor and deploy a patch if available. A patch is available for all Sisco branded ICCP servers. Third party vendors that integrate SISCO's OSI stack may or may not support the patch.
Compensating Controls
- Use a firewall or other filtering to limit access to ICCP servers
- Select a pseudo-random TSAP value
