Face-palm: Serial Server Flaws Expose Critical Infrastructure

A survey conducted by the firm Rapid 7 has found evidence that widespread vulnerabilities and insecure configuration of ubiquitous networking components known as serial port (or “terminal”) servers, may expose a wide range of companies and critical assets – including point of sale terminals, ATMs and industrial control systems – to remote cyber attacks.(*)

The vulnerable devices connected hardware like retail point-of-sale systems at a national chain of dry cleaners, providing direct access to employee terminals from which customer payment information could be accessed. Other exposed systems were used to monitor the location of cargo containers, train cargo as well as HVAC and industrial control systems, Rapid7 said.

In the Rapid7 survey, over 114,000 unique IPs were identified in a scan using the Simple Network Management Protocol (SNMP), the vast majority manufactured by one company: Digi International. If left unaddressed, the vulnerable devices give remote attackers direct, administrative access to hardware devices connected to the serial servers, Moore warned in a blog post Tuesday.

“The results were pretty scary,” Moore wrote. “Authentication was rarely implemented and the types of devices exposed ranged from corporate VPN servers to traffic signal monitors.”

Serial port servers are straight forward devices akin to a home router with one or more serial ports on one side and an ethernet, wireless, or mobile interface on the other. They’re used to give organizations remote network access to devices that rely on physical, serial connections. Companies connect the serial server to one or more target devices, such as a router, server, or industrial control system. The serial port server is then configured to allow remote access to this port using an internal management interface.

HD Moore — Moore said the vulnerable serial servers are “pretty scary.”

Rapid7 found that access to the administrative interfaces was reliably secure, requiring both a user name and password to access. The serial connections were another matter, and rarely required remote users to authenticate before communicating with the serial port. That means that anyone who knows the address of the port could connect to it directly, without authenticating, and begin sending commands directly to the connected device, Moore said.

Digi Serial Servers — Digi devices are used to manage communications with critical infrastructure, including in the energy and gas and transportation sectors.

When serial connections were physical – wires plugged into physical ports – such a “trust” assumption was understandable. But serial port servers change the authentication model, providing a bridge between the physical connection and the public Internet that can be exploited, Moore wrote.

“The concept of trusting a physical port goes out the window when that port is exposed to the Internet, especially without an initial layer of authentication,” he wrote.

Just as significant: the serial servers analyzed by Rapid7 treated sessions as if the connection were physical. So inactive sessions remain open, rather than timing out, until a user manually terminated them or a device was rebooted or taken offline, Moore said.

“An attacker just has to wait for a valid user to authenticate. Once logged in, the attacker can either hijack the serial port connection or wait for them to become idle and then steal a pre-authenticated shell on the target device.”

Moore’s analysis uncovered 13,000 such systems, with root shells, system consoles, and administrative interfaces that did not require authentication. Many of those had been hijacked by attackers using TCP or proprietary protocols after a valid user had authenticated to the device, then let the session fall idle.

“These attacks a straight forward, but obscure,” Moore told The Security Ledger.

Attackers can easily identify serial servers with scanning tools like the SHODAN search engine or data sets like The Internet Census for devices using TCP ports 2001-2010 and 3001-3010. Those ports that are commonly used by devices from Digi and Lantronix, another vendor, as TCP proxies for the first 10 configured serial ports, Moore wrote.

Moore also scanned for devices using RealPort, a proprietary protocol used by Digi serial port servers. Of the 13,000 unique serial ports that Moore found exposed, all offered some form of system shell, console, data feed, or administrative menu to attackers.

It’s unclear if attacks on serial servers have been used as an element in attacks. Moore said the devices are common in industries that are known to be the target of sophisticated, nation-backed attackers, such as the oil and gas industry. There, serial servers allow companies to communicate with remote, field devices.

Critical infrastructure and SCADA systems often have a primary and backup Wide Area Network (WAN) in which Digi and other terminal servers play a critical role: taking messages from the SCADA communication server and sending them to the correct serial connected programmable logic controller (PLC), said Dale Peterson, an industrial control expert at Digital Bond. “They are needed and therefore very common.”

Peterson said his experts see ” a lot of ancient, 10 year old terminal servers” in the field that are highly susceptible to crashes when sent large data flows. Typically those are deployed inside the security perimeter of the organization, and not accessible from other parts of the corporate network or the Internet, he said. But Peterson said he has “no doubt” that “there are a lot of these terminal servers accessible on the Internet. Just like there are a lot of control systems on the Internet.” He said most aren’t what most people would consider “critical infrastructure,” However, the systems “are probably important to the organizations that rely on them. They clearly need to be removed from the Internet.”

The fix for the vulnerable devices will likely involve a number of small changes. In a presentation on the serial server issue at InfoSec Southwest 2013, Moore recommended customer guidance to set a default “timeout” for idle serial connections and ~~firmware updates~~ to enable and even require serial port-~~based~~ authentication and encryption on the devices, Moore said.

Organizations should also enable remote event logging options on their serial server devices and audit any scripts uploaded to the devices, Moore recommended.

In an e-mail statement, Digi International CTO Joel Young agreed with Moore’s assessment of the security risk.

“It appears that he is highlighting user practices in configuration of security features or in the implementation of security policies. HD Moore is calling attention to an area that Digi is passionate about,” the company said. “We’re reaching out to Mr. Moore to see if there are things we can learn from his efforts, or ways to partner with him to educate … implementers.”

“In Mr. Moore’s recent presentation, he made some Remediation recommendations that we agree with and often recommend to customers. He offers an excellent summary of good security policies for users to adhere to,” Digi said.

Digi said that in the fast-emerging environment of always-connected, IP enabled devices, there needs to be constant security and policy monitoring, possibly in a cloud-based service “A Device Cloud that can set off an alarm if something has not been configured properly, or if a default password has been left in place, or if an unsecure (sp) access method has been left on.”

(*) Editor’s Note: Updated to add comment from Digi. – PFR 4/24/2013