[German]Security researchers have found a vulnerability in the implementation of the 499ES EtherNet/IP (ENIP) Adaptor Source Code, which makes automation components vulnerable to attack.
Advertising
The US authority CISA (Cybersecurity & Infrastructure Security Agency) issued a warning on November 17, 2020. The 499ES EtherNet/IP (ENIP) adapter is used for communication in many industrial control and automation systems – Real Time Automation (RTA).
Der EtherNet/IP Adapter
EtherNet/IP (EtherNet Industrial Protocol,often just called EIP) is a real-time Ethernet, which is mainly used in automation technology. EtherNet/IP was developed by Allen-Bradley (part of Rockwell Automation) and later handed over to the Open DeviceNet Vendor Association (ODVA) as an open standard.
In 1998, a working group of ControlNet International developed a procedure to set the already published application protocol Common Industrial Protocol to Ethernet. Based on this procedure, EtherNet/IP was published as an open industrial standard in March 2000. ControlNet International (CI), the Open DeviceNet Vendor Association (ODVA) and the Industrial Ethernet Association (IEA) were involved in this process.
In addition to Profinet and Modbus/TCP, EtherNet/IP is currently a widely used Ethernet-based fieldbus. More than one million field devices were sold between 2002 and 2006. Currently, about 150 manufacturers within ODVA support the bus protocol. In North America, EtherNet/IP is the standard for industrial I/O applications.
Based on the basic TCP/IP protocols TCP and UDP, EtherNet/IP supports the continuity between the office network and the plant to be controlled. EtherNet/IP end devices support DHCP and BootP for IP address assignment. For commissioning support (diagnosis) of EtherNet/IP networks, the web server integrated in the interface module of the PLC controller can be used, or the web servers contained in other EtherNet/IP devices. Further details can be found in Wikipedia.
Advertising
EtherNet/IP Adapter Source Code Stack
RTA (RT-Automation) offers an implementation of the EtherNet/IP Adapter as 'EtherNet/IP Adapter Source Code Stack'. This solution is written in ANSI-C, has its own API and can be used in many operating systems like:
- Windows
- VxWorks
- Net Silicon
- Rabbit
- ARC MQX
- Quadros
- Netburner
- Freescale
- Linux
- Mentor Nucleus
- Open TCP
- Microchip
- PowerQUICC II Pro
Automation and control system manufacturers receive the source code of the EtherNet/IP adapter and can integrate it into their own solutions.
The vulnerability
The critical vulnerability (stack-based buffer overflow) now known in the 499ES EtherNet/IP (ENIP) stack of Real-Time Automation (RTA) could be exploited by specially crafted packages for remote attacks on vulnerable industrial control systems. The vulnerability was discovered by Sharon Brizinov, a security researcher at the security company Claroty. The vulnerability was assigned CVE-2020-25159 and a CVSS v3 baseline of 9.8.
All versions of the 499ES EtherNet/IP Adapter source code prior to version 2.28 are affected. Successful exploitation of this vulnerability could lead to a denial of service condition and a buffer overflow could allow remote code execution. RTA has provided some additional guidance on this. The code in older versions of the RTA product attempted to reduce RAM usage by limiting the size of a specific buffer used in an EtherNet/IP Forward Open request. By limiting RAM, it is possible for an attacker to provoke a buffer overflow in an attempt to gain control of the device.
This code has been changed in the meantime and is no problem in the current EtherNet/IP software revision levels. The Hacker News writes here, that version 2.28 of the EtherNet/IP Adapter Source Code Stack was released on November 21, 2012. Obviously, manufacturers of control and automation systems using this 499ES EtherNet/IP (ENIP) Adaptor Source Code will have to react and update the software to version 2.28. Afterwards, the product must be delivered to customers – which certainly affects tens of systems worldwide.
From my experience in this area, which is based 27 years ago, industrial customers who have not implemented a 499ES EtherNet/IP (ENIP) Adaptor Source Code implementation themselves, have no choice but to contact the manufacturers of their automation systems and ask whether the vulnerable component has been used. If so, you should ask for an update and schedule its installation for the running systems. The problem will probably be that the products in question may have reached end of support.
CISA Recommendations
CISA recommends that users take immediate countermeasures to minimize the risk of exploitation of this vulnerability. In particular, users should:
- Ensure that control and automation systems are not accessible via the Internet.
- Place networks for control systems and remote devices behind firewalls and isolate them from the corporate network.
- If remote access is required, use secure methods such as Virtual Private Networks (VPNs).
With regard to VPNs, however, it should be noted that they can also have weak points and should be updated to the latest available version. It should also be noted that VPNs are only as secure as the devices used for communication. There are currently no known exploits that exploit this vulnerability for attacks.
Advertising