Industrial control systems (ICS) security has become a serious concern over the past years. Indeed, threat to ICS systems has become reality and real world attacks have been observed. Many systems driving critical functions cannot be stopped to receive security upgrades, protecting those very sensitive assets is thus a tough challenge.
As ICS security market is growing fast, dedicated firewalls have appeared to address this problem by inspecting and filtering industrial control protocols. But what are those solutions worth? Are they really different from standard network firewalls? What are exactly their attack surfaces and what kind of bugs may we find there?
We propose to answer those questions on the Tofino Xenon case. We will present a methodology we used to reverse engineer equipment which uses a custom and encrypted administration protocol and has fully encrypted firmware. From reverse engineering a rich client to obtaining root shell on the appliance. Then we will cover the firewall internals, the attack surface it offers and the security features it provides to vulnerable ICS equipments. Finally, we will present the vulnerabilities we found (CVE-2017-11400, CVE-2017-11401 and CVE-2017-11402), their impact and the attack scenarios to exploit them.