TY - GEN
T1 - Authentication bypass and remote escalated I/O command attacks
AU - Grandgenett, Ryan
AU - Mahoney, William
AU - Gandhi, Robin
N1 - Funding Information:
Ryan Grandgenett has been previously supported through NSF CNS-1062995, "REU Site: Site for Extensive and Collaborative Undergraduate Research Experience (SECURE)", and currently is supported by NSF DUE-1027412, "Information Assurance Scholarships for Service (SfS) at the University of Nebraska at Omaha". William Mahoney and Robin Gandhi have been partially supported via AFOSR FA9550-10-1-0341 "Cyber Security of Critical Control Networks".
PY - 2015/4/7
Y1 - 2015/4/7
N2 - The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.
AB - The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.
KW - Control systems
KW - EtherNet/IP
KW - Remote code execution
KW - SCADA
UR - http://www.scopus.com/inward/record.url?scp=84958763787&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84958763787&partnerID=8YFLogxK
U2 - 10.1145/2746266.2746268
DO - 10.1145/2746266.2746268
M3 - Conference contribution
AN - SCOPUS:84958763787
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015
PB - Association for Computing Machinery
T2 - 10th Annual Cyber and Information Security Research Conference, CISRC 2015
Y2 - 6 April 2015 through 8 April 2015
ER -