Hunting EtherNet/IP Protocol Stacks - Sharon Brizinov | SANS ICS Security Summit 2022

Operational technology networks communicate through protocol stacks that are distinct from IT networking protocols. Therefore, we at Team82 (Claroty Research) decided it was important to intimately understand OT protocols in order to uncover vulnerabilities and get them fixed. We want to share one such journey that led to us finding critical vulnerabilities in a few EtherNet/IP protocol stack implementations.

This story starts with research into a well-known PLC firmware, writing a PoC that triggered the bug, and how we helped get it fixed. In this talk we dive deeper into how we hunt for vulnerabilities in different third-party OT protocol libraries, focusing specifically on EtherNet/IP and CIP implementations.

We will explain how these protocols work, what are the common implementation pitfalls, and how we were able to classify different implementations of these protocols and the devices that are using them in order to understand the scope of the vulnerabilities we found. We will also share to the community the tools we developed during our research.

View upcoming Summits: http://www.sans.org/u/DuS

Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE