|
On Shaky Ground - A Study of Security Vulnerabilities in Control Protocols
VI.C. MODBUS/TCP Serial Grammar Test
The MODBUS/TCP Serial grammar examines the DUT's behavior in response to valid and invalid serial requests. The function codes tested are:
- 07 Read Exception Status
- 08 Diagnostics
- 11 Get Comm Event Counter
- 12 Get Event Log
- 17 Report Slave ID
Table 3: Serial Grammar Test Observed Behavior
We now break down the failed tests by function code.
VI.C.I. Function Codes 07, 11, 12 and 17
Both PLC Q and PLC M responded to function code 07, 11, 12 and 17 requests even though they are serial line only functions. The correct response would have been to return an error code of 1 indicating function not supported.
VI.C.II. Function Code 08
Under all circumstances PLC M responded to function code 08 requests by returning an error code of 3
(indicating an incorrect data value). The correct response would have been to return an error code of 1 indicating function not supported.
PLC Q returned incorrect error codes in response to function code 08 sub functions 3, 14, 15 and 20. More disturbing, PLC Q carried out the requests of function code 08 sub functions 0, 1, 2, 4, 10, 11, 12, 13, 16, 17 and 18.
Function code 08 sub function 4 forces a PLC into listen mode. It will not leave listen mode until it receives a "restart communications option" (function code 8 sub function 1). However, since MODBUS is being executed over TCP PLC Q must first engage in a TCP three-way handshake prior to receiving a "restart communications command". As PLC Q is in listen mode it will not engage in the 3-way handshake, hence PLC Q must be powercycled before it will come back online.
This brings to light an interesting point. Function 08 sub function 4 was created to allow the engineer to isolate a network flooding PLC. This is especially useful in the case of older low speed wireless networks where the underlying transport medium was easily saturated. However, when executing MODBUS over TCP such saturation is easily mitigated by TCP's back-off and retransmit strategies.
Furthermore, as demonstrated above, executing function code 08 sub function 4 over a TCP connection is
dangerous. It was intended to be executed over a stateless medium, one in which the special "reset communications" packet could be received at any time and not over a medium in which a stateful communications startup is required.
This is indeed a good example of the problems that one faces when transmitting one protocol inside another. Investigating each protocol individually does not shed light on the problems that may arise when the protocols become coupled in the way that MODBUS and TCP have been.
« Prev | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | Next »
|
