Claroty releases free EtherNet/IP stack detector tool

The Claroty research team (Team82) has released a custom, generic EtherNet/IP stack detection tool that will be free and publicly available via the company’s GitHub repository.

The tool is designed to fulfil a number of use cases for cybersecurity researchers, OT engineers and asset owners by helping them to identify and classify commercial and homegrown products using the same third-party ENIP stack code. By identifying the ENIP stack, users inside the enterprise as well as vendors will be able to better understand their exposure to newly disclosed vulnerabilities, and subsequently prioritise updates.

Team82 has used the EtherNet/IP & CIP Stack Detector as the centrepiece of several ENIP-related research projects, including an important November 2020 disclosure of a stack-overflow vulnerability in Real Time Automation’s (RTA) 499ES ENIP stack. Using the detection tool, Team82 researchers identified 11 devices sold by six different automation vendors that were built on top of the affected stack.

Following a second Team82 report published last April detailing five vulnerabilities discovered in the popular open source OpENer EtherNet/IP stack, Claroty found there was a clear gap for asset owners wishing to quickly triage what devices are affected once a critical ENIP stack vulnerability is identified and publicly disclosed.

This gap was especially flagrant with open source components such as OpENer: OpENer ENIP implements ENIP and CIP and is used by leading automation vendors in numerous commercial products. Users struggled because many products don’t clearly describe or list the components being used in a commercial device, and that includes which protocol stacks are implemented. Situations such as this are also adding fuel to important discussions around the need for software bills of materials (SBOM), which further close that window of exposure users face when vulnerabilities are disclosed or are being publicly attacked.

How the tool can be used

Team82’s EtherNet/IP & CIP Stack Detector can be used for security research and as part of an internal investigation to quickly scan many devices to retrieve their EtherNet/IP protocol stack. Users can also leverage this tool for vulnerability research and remediation, and to help set up honeypots that are more difficult for attackers to detect.

How Team82 uses the tool

The tool enables Claroty’s Team82 researchers to identify various classes of ENIP stacks and group similar stack implementations.

For example, Team82’s researchers identified the unique signature generated by devices running RTA’s ENIP stack. With that, Team82 started to scan many ENIP-compatible devices in order to detect all potentially affected devices.

Eventually, through this tool researchers were able to scan 290 unique ENIP-compatible devices, which revealed 32 unique ENIP stacks. Of the 290 unique devices scanned, 11 devices were found to be running RTA’s ENIP stack in products from six unique vendors and appropriate action was taken accordingly (disclosure process).

Can SBOMs help?

Much discussion is happening about software vendors providing a software bill of materials (SBOM). Within ICS, SBOMs are not commonplace, despite their potential importance in a number of areas, including vulnerability management.

SBOMs are analogous to ingredient labels on food products, or parts lists for toys and automobiles. They are a structured list of components such as libraries and modules required to compile and link software, and even the supply chain relationships between them. With an SBOM in hand, an organisation can quickly see whether a vulnerable component is running in their environment and break through the black-box nature of some ICS and OT software packages or firmware installations.

This type of visibility into the components used to build commercial firmware or software products is vital for decision makers struggling to assess their risk in the event of an incident which would hamper response or vulnerability remediation.

The US Government, for one, has determined there is value in SBOMs. An executive order issued last year by the Biden administration included a section on supply chain security that included SBOMs among secure development practices as mandatory for each product purchased by the federal government. This is vital for buyers of commercial products who may not understand the exposure created by the inclusion of an open source component running under the hood.

Team82’s EtherNet/IP & CIP Stack Detector, in the meantime, can be used to lessen that risk. Users are encouraged to download the tool, try it in their environments, and share their feedback with Team82 and the community.

Image: ©stock.adobe.com/au/sasun Bughdaryan