Abstract: Response for Vulnerabilities found in IPm RTUs
This document will help explain the necessary steps to resolve security issues found as a result of loading new firmware.
CVSS v2.0 Base Vulnerability Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|
Severity |
Base Score Range |
|
None |
0.0 |
|
Low |
0.1-3.9 |
|
Medium |
4.0-6.9 |
|
High |
7.0-8.9 |
|
Critical |
9.0-10.0 |
Products: ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/ VT-IPm2m-213-D/VT-IPm2m-113-D
Versions Affected:
Revision Information: 12 November 2019
Vulnerability: Sixnet Universal Protocol Undocumented Function Codes
The universal protocol implementation in Sixnet UDR before 2.0 and RTU firmware before 4.8 allows remote attackers to execute arbitrary code; read, modify, or create files; or obtain file metadata via function opcodes.
a. Root access must be disabled when FTP and telnet are enabled by creating user access.
i. Telnet into the RTU and disable the root account with the ‘passwd -l’ command.
b. Enable User Authentication.
i. Using the Toolkit program, go to Configuration>>Configuration Station/Module>>Configure Users.
ii. Check the “Enable user authentication” check box.
iii. Remove all permissions from the ‘anonymous’ user.
iv. Click the “Add User…”, add user name and password, then set permissions for the user.
v. After the configuration is loaded to the RTU user authentication is enabled in the RTU.
c. Enable iptables rule to block Sixnet UDR traffic over TCP/IP.
i. Using the Sixnet I/O Tool Kit program, go to Configuration>>Configure Station/Module…>>Ports tab>>Security…
ii. Select the “Load the this file with each station load” radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.
Remove these rules from the default rc.firewall file:
# Drop everything comming in
iptables -P INPUT DROP
# Drop everything in FORWARD chain
iptables -P FORWARD DROP
Example rc.firewall rules blocking Sixnet UDR TCP/IP:
#!/bin/sh
# Initialization
insmod ip_tables
insmod iptable_filter
insmod ip_conntrack
insmod iptable_nat
# Flush INPUT chain
iptables -F INPUT
# Flush OUTPUT chain
iptables -F OUTPUT
# Flush FORWARD chain
iptables -F FORWARD
# Zero counters
iptables -Z
# Drop everything coming in
iptables -P INPUT DROP
# Drop everything in FORWARD chain
iptables -P FORWARD DROP
# Accept everything going out
iptables -P OUTPUT ACCEPT
# Allow local traffic
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
#Block all TCP traffic
iptables -A INPUT -j DROP -p tcp --destination-port 1594 -i eth0
d. ICS-CERT also encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
i. Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
ii. Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
iii. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
