Bloody Valentine For Critical Infrastructure: EtherNet/IP Exploit Could Crash Devices

Security researchers made good on a promise to release new exploits for programmable logic controllers (PLCs). The exploits include one targeting a flaw in the implementation of the EtherNet/IP (Industrial Protocol) used in many IP-enabled PLCs. The security hole, if left unaddressed, could enable a remote attacker to crash or unexpectedly reboot the devices, which are critical components of almost every industrial – and critical infrastructure installation.

Security researchers made good on a promise to release new exploits for programmable logic controllers (PLCs). The exploits include one targeting a flaw in the implementation of the EtherNet/IP (Industrial Protocol) used in many IP-enabled PLCs. The security hole, if left unaddressed, could enable a remote attacker to crash or unexpectedly reboot the devices, which are critical components of almost every industrial – and critical infrastructure installation.

The publication of new exploits is the second for Project Basecamp, a volunteer effort to call attention to the woeful state of security on many industrial control systems. It follows a release in January of exploits and automated testing tools for holes in products by GE and Schneider Electric, according to a post by Reid Wightman, a security researcher for the industrial consulting firm Digital Bond.

Along with the EtherNet/IP vulnerability, researchers disclosed vulnerabilities in
PLCs by leading industrial control vendors, including products from Rockwell Automation, Schneider, WAGO, Omron and others. They include hard coded administrative passwords in some versions of the Modicon Quantum PLC by Schneider Electric. Also, Koyo DirectLogic PLCs were found to be vulnerable to brute force password attacks because they lack a password lockout feature, Wightman wrote.

Two new modules for the penetration testing platform MetaSploit will automate tests for the vulnerabilities, according to Digital Bond. The EtherNet/IP vulnerability is the most serious and far reaching, said Dale Peterson, founder and CEO of Digital Bond.

“This is a case where the products that are affected are half insecure by design and half vulnerable,” Peterson said.

The vulnerability was found in the EtherNet/IP specification, which is managed by ODVA, an international association made up of the world’s leading industrial automation firms. As a result, the vulnerability affects any devices by those vendors which implements the ODVA standard for EtherNet/IP communications in its products. Wightman, writing for Digital Bond, said devices by Schneider Electric, WAGO, Omron, Opto 200, Phoenix Contact and ABB were found to be vulnerable, but the list of affected vendors and devices is likely much, much longer.

Using the exploit developed by Basecamp researchers, vulnerable PLCs can have their CPU stopped on command, have the Ethernet/IP controller disabled or be forced to reboot. Peterson said that commands causing PLCs to stop operating should have to be authenticated by the administrator before being executed, but that none of the vulnerable devices require that extra security step.

Firms in sectors ranging from manufacturing, to energy generation and distribution to water treatment are finding that industrial systems they long believed to be isolated from the public Internet are, in fact, accessible using tools like the Shodan search engine. Wightman, writing for Digital Bond, said that vulnerable systems by all three vendors mentioned in the latest release could be found using a search on the Shodan search engine.

Speaking with Threatpost, Peterson said that the fix for the EtherNet/IP vulnerability will be a long time coming, because it lies in the underlying specification for the protocol itself, not in any particular implementation of it.

“ODVA control that protocol, so Rockwell or other vendors can’t say ‘We’re going to ad security to the protocol.’ They have to raise a work item in ODVA and go through the whole process. And that hasn’t started yet.”

To compensate, Rockwell and other vendors will need to find ways to wrap the vulnerable protocol in an encrypted tunnel, and then push that change out to customers.

Peterson said he and the other Basecamp researchers continue to face backlash from vendors, customers and government officials over what many saw as a glaring example of irresponsible disclosure of security holes. Its an argument Peterson, Wightman and others reject. “Vendors have had forever-and-a-half in the world of computer security to respond,” Wightman wrote. Among other things, he noted that ‘major issues’ with the EtherNet/IP protocol have been known about by vendors and the U.S. Department of Homeland Security since at least 2009.  Warnings about hard coded and back door accounts and weak password protections are even older, Wightman said, revealing that Basecamp researchers ignored a request by the U.S. Department of Homeland Security to hold off on releasing a module to exploit weak password protection in Koyo DirectLogic PLCs until the vendor had a chance to fix the flaw.

“Koyo has had three years to deal with existing problems, and have apparently done nothing to mitigate the oldest issue (unauthenticated/unsigned firmware upload), so I’m not sure that waiting is the Right Thing To Do.  It certainly hasn’t worked so far.”

Peterson said he hopes that the revelations force vendors and the government to adopt a different attitude about disclosures: helping customers mitigate vulnerabilities rather than disparaging those who find them and providing guidance on what kinds of security features to demand of vendors.

“I’m a little disappointed that people are not upset that these devices are so insecure. There were a lot of people who said ‘Yeah we know that,’ but not too many people who stood up and said ‘This is terrible!’ and ‘We can’t live with this anymore,'” Peterson said.

Design flaws, not software coding errors are often the source of security problems in SCADA and ICS products, according to expert Ralph Langner of Langner Communications. Langner and other industrial control security experts have suggested that closer government oversight may be the only way to ensure better security for industrial control systems, given the failure of the market to address security weaknesses in products.


CORRECTION: An earlier version of this story incorrectly mentioned the EtherNet/IP (Internet Protocol). The story has been updated to refer to the correct name: EtherNet/IP (Industrial Protocol).

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.


  • Amr Ali on

    Ethernet/IP: IP here stands for Industrial Protocol, not Internet Protocol. In particular Allen-Bradley CIP over Ethernet.

  • Anonymous on

    Fixing the flaws also keeps the good guys out.

  • Anonymous on

    Interesting that you don't have any comment from vendors or ODVA.  The are many solutions to these "supposed vulnerabilities" the simplist of which is putting it behind the firewall or using a VPN.  Are these "volunteers" truly good intentioned, pro-bono engineers or do they stand to profit from their "volunteering. 

  • Anonymous on

    Next US legislation: It will be illegal for security researchers to publish any vulnerability found on "critical" (left very vague) infraestructures before being reviewed by a DHS "CRitical Infrastructure Problem Publishing Limitation Exception" taskforce.

  • Anonymous on

    Hello all,


    How would you propose to detect whether or not Ethernet/IP traffic is being communicated over your corporate network????


  • John Cusimano, exida on

    EtherNet/IP uses TCP port number 44818 and UDP port number 2222 so it is easy to detect and block with ACL's in firewalls and Layer 3 switches, if they are in place.  However, before just blocking the communications you should find out why there are there and what they are being used for.  The information flow could be critical to your operations.   

    We recommend that organizations conduct a controls system security assessment to gain an understanding of the gaps between their current security and best practices (e.g. ISA 99 or NERC CIP).  Such an assessment should start with a good understanding of the control system network architecture and data flows with a particular focus on all of the interfaces between the control system and the outside world (e.g. business network, internet, remote access, etc.).   

  • Anonymous on

    As a small time programmer of PLCs and DSP devices that live on state government networks, the question is how far do we go? With practically every new device from HVAC to window shades going to IP control, do we encrypt and firewall our way to the unusable? Every security methodology will have holes. 

    What are some opinions on realistic measures based on criticality?

  • Anonymous on

    Hello all,


    I would like to see more research that is going into Honeywell systems as we use these extensively.



Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.