Claroty adds infrastructure for AFL fuzzer into OpENer EtherNet/IP stack

Researchers from industrial cybersecurity firm Claroty announced that it added necessary infrastructure to incorporate the AFL (American Fuzzy Lop) fuzzer into the OpENer EtherNet/IP stack, as part of their research into the security of the stack.

As the stack is widely used among SCADA (supervisory control and data acquisition) vendors, it puts a premium on finding security vulnerabilities before threat actors can exploit them. In that context, fuzz-testing code is the most straightforward and automated way to find coding errors and potentially critical flaws, Claroty said in a blog post. 

Integrating a fuzzer, however, can be a challenge in an open-source implementation requiring substantial development efforts, for example, to ensure fuzzed input is correctly dissected, it added. 

The researchers modified OpENer and added necessary boilerplate code in a way that would help integrate the AFL fuzzer into the OpENer stack. AFL uses runtime guided techniques to create input for the tested program. “We did our best to add relevant documentation to the project so the onboarding process will be simple for anyone, including folks with no cybersecurity background,” wrote company researchers Tal Keren and Sharon Brizinov in the post.

The inclusion of the integration code in the OpENer stack relieves anyone using the project from the significant coding normally required to modify source code and write scripts necessary to integrate a fuzzer. “Anyone today who wants to run it, can compile the updated OpENer EtherNet/IP stack code and immediately start fuzzing it without any changes,” they wrote.

Used in multiple critical infrastructure sectors, the OpENer EtherNet/IP stack from EIPStackGroup has been found to contain security flaws. These vulnerabilities include incorrect conversion between numeric types, out-of-bounds read, and reachable assertion, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA). Exploitation of these vulnerabilities could cause a denial-of-service condition and data exposure.

Claroty had detected five vulnerabilities in the OpENer EtherNet/IP stack that depending on the architecture of the targeted device could lead to denial-of-service conditions, memory leaks from the stack, and remote code execution. An attacker would only need to send crafted ENIP/CIP packets to the device in order to exploit these vulnerabilities.

One of the vulnerabilities privately reported by Claroty to EIPStackGroup was also disclosed by Cisco Talos, and reported publicly last December. The vulnerability is an out-of-bounds write vulnerability in the ENIP server. A sequence of crafted network requests would trigger the vulnerability, Cisco Talos said.

The OpENer stack supports multiple I/O and explicit connections and includes objects and services for making EtherNet/IP-compliant products as defined in the ODVA specification, the post said. It implements the familiar ENIP and CIP protocols that run inside numerous commercial products deployed across the industrial domain. ODVA is a standards development organization and membership association, whose members work to advance open, interoperable information and communication technologies in industrial automation.

Earlier this month, Claroty found nine vulnerabilities in the pre-authentication attack surface of Rockwell Automation’s FactoryTalk suite, especially on the FactoryTalk AssetCentre tool. The attacker can exploit these security vulnerabilities without authentication, and take over a facility’s entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs).

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.