SISCO OSI stack fails to properly validate packets
From SCADApedia
Version 3.x and earlier of SISCO's OSI stack, which is used in a number of ICCP servers from SISCO and other vendors, will crash when scanned by Nessus and other vulnerability scanners.
Contents |
Vulnerability
Nessus is the most popular vulnerability scanner, and it is available as an open source tool. Nessus is used by both hackers and IT Departments to identify vulnerabilities in a network. The goal of most Nessus plugins is reconnaissance, and they are not intended or attempting to cause a denial of service condition.
Version 3.x and earlier of Sisco's OSI stack will terminate when a Nessus scan is run against the host system.
The functionality in most of the Nessus plugins are also available in commercial vulnerability scanners and subsets are available in open source utilities. It is likely that other vulnerability scanners will also cause a denial of service in affected systems.
This vulnerability was initially reported on 25 Feb 2005 in a SISCO document. SISCO subsequently reported this vulnerability to US-CERT, and it was published as a US-CERT Vulnerability Note 468798 on 20 Sep 2006.
Affected Systems
SISCO's OSI stack is in over 50% of the deployed ICCP servers. SISCO sells their own line of ICCP servers and toolkits and deployed systems may contain a vulnerable OSI stack.
| Product | Vulnerable Version | Patched Version |
| AX-S4 ICCP | V3.0103 or earlier | V3.0155 |
| AX-S4 MMS | V5.01 or earlier | V5.02 |
| ICCP Toolkit for MMS-EASE for Windows | V4.10 or earlier | V5.03 |
| ICCP Toolkit for MMS-EASE for AIX | V4.10 or earlier | V4.11 |
| ICCP Toolkit for MMS-EASE for Solaris | V4.10 or earlier | V5.03 |
| MMS-EASE for Windows | V7.10 or earlier | V8.03 |
| MMS-EASE for AIX | V7.10 or earlier | V8.04 |
| MMS-EASE for Solaris | V7.10 or earlier | V8.0 |
SISCO's OSI stack is also present in many third party servers. For example, Areva and Siemens ICCP servers rely on the SISCO OSI stack. All asset owners with ICCP servers should either contact their vendor or use one of the detection methods to determine if they are vulnerable.
Impact
The denial of service condition triggered by this vulnerability is most likely to occur when a security consultant or someone from the IT Department runs Nessus as part of a legitimate security assessment. It would be a short term interruption until the ICCP server is rebooted.
Similarly, an attacker who had gained logical access to the ICCP server would be able to terminate the ICCP application. In fact, the attacker is likely to crash the ICCP servers accidentally when running Nessus to gather information about the system in the reconnaissance phase of an attack.
ICCP servers are used to pass information between SCADA/EMS systems, often between asset owners. A US bulk electric entity is likely to have ICCP Security Associations with multiple other bulk electric entities. Firewalls and other perimeter security devices must be configured to allow TCP/102, the ICCP port, for authorized ICCP communication.
If an attacker were able to gain access to one electric entity he would be able to crash all ICCP servers that organization communicates with that have an unpatched SISCO OSI stack.
Detection
The fact that an ICCP server is running the SISCO OSI stack is often not visible to the asset owner, especially if it is a third party ICCP server.
Windows Versions
Nessus plugin 23814 will identify if the ICCP server is running a version of the OSI stack that requires patching for this vulnerability.
The OSI stack and version can also be identified by searching the registry for the following Windows registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\SISCO\OSILL2\CURRENTVERSION
The ICCP server is vulnerable if the OSI stack version is 3.x or earlier.
Unix Versions
The SISCO OSI stack writes the version number to a log file when it is started. The ICCP server is vulnerable if the OSI stack version is 3.x or earlier.
Remediation
Contact your ICCP server vendor and deploy a patch if available. A patch is available for all Sisco branded ICCP servers. Third party vendors that integrate SISCO's OSI stack may or may not support the patch.
Compensating Controls
- Use a firewall or other filtering to limit access to ICCP servers
- Prohibit Nessus and other vulnerability scanning of known vulnerable ICCP servers by policy
