Vulnerabilities found in protocol gateway devices can facilitate stealthy attacks on industrial systems, enabling threat actors to obtain valuable information and sabotage critical processes.
Protocol gateways are small devices designed to ensure that various types of IT and OT devices can communicate with each other even if they use different protocols. For instance, they can translate traffic sent on the same protocol but on two different physical layers (e.g. TCP to RTU), translate traffic on the same physical layer but different protocols (e.g. Modbus RTU to Profibus), or translate traffic on different physical layers and protocols (e.g. Modbus TCP to Profibus).
There are two types of protocol gateways: ones that translate traffic in real-time, and data stations, which store the translated traffic and provide it on request.
Threat actors could target protocol gateways for several reasons. For instance, they can cause serious disruption if the device fails to properly translate traffic. Secondly, protocol gateways are less likely to be monitored by security products, making it less likely that the attack will be detected. And since translation issues are not easy to diagnose, an attack can be very stealthy.
Researchers at Trend Micro have analyzed the Nexcom NIO50, Schneider Electric Link 150, Digi One IA, Red Lion DA10D, and Moxa MGate 5105-MB-EIP protocol gateways, which are used in many organizations. The research focused on the translation of the Modbus communications protocol, which is one of the most widely used OT protocols.
The researchers first tested how well these devices can handle heavy or malformed traffic, such as the one that would be sent by an attacker.
In the case of real-time gateways, the researchers used a fuzzer to generate thousands of invalid Modbus TCP and Modbus RTU packets that were fed to the Schneider, Digi One and Nexcom products to test their firewalling capabilities. Both the Schneider and the Digi One devices filtered out most of the invalid TCP packets, but the one from Nexcom completely failed this test.
Trend Micro researchers showed that the Nexcom device’s failure to handle the malformed packets — the packets should have been dropped or fixed before being translated — can be exploited by an attacker to bypass firewalls and send malicious requests to the devices connected to the protocol gateway. The experts showed how an attacker can send malicious requests to a PLC in an effort to manipulate the processes it controls. For example, the attacker can turn on a motor and deactivate critical safety sensors, leaving operators in the dark.
Trend Micro reported this vulnerability to Nexcom, which said it would not be releasing a patch due to the product reaching end of life. The cybersecurity firm says it has not tested the affected product’s successor.
In the case of data stations, Trend Micro tested the Moxa and Red Lion products. Data stations need to be configured before deployment to assign functions and commands to switches, sensors or other devices. This configuration is stored in what is called an I/O mapping table, which is stored in a SQLite3 database.
I/O mapping tables can contain a lot of information that can be useful to a malicious actor when planning an attack, and making unauthorized changes to the table can result in disruption to PLCs, HMIs and other devices connected to the targeted data station.
The researchers have found vulnerabilities in the Moxa device that an attacker could exploit to gain access to the I/O mapping table, manipulate processes, and cause disruption. In the case of the Red Lion device, they identified memory leakage and DoS issues.
“By themselves, protocol gateways are likely not directly involved in the product or the output of a facility. However, they are a crucial link in the flow of information between different sensors, interfaces, devices, and machinery within a facility,” Trend Micro said.
It added, “Operators need to be able to see and trust the data of the facility and take action to prevent accidents or potential production issues. Vulnerable or exposed protocol gateways can allow threat actors to compromise the integrity of the reported data, the operators’ ability to view data, or prevent operators from taking action.”