Assessing the Building Management Control Vulnerability
Security firm McAfee announced a vulnerability in a popular building management system. The vulnerability could enable an attacker to modify Building Automation and Control networks (BACnet) broadcast traffic and obtain complete remote control of an impacted device.
Dragos assessed the vulnerability and found that the risk of exploiting a BACnet controller is low. Freely available tools can connect to Internet-connected building systems which use this protocol, and modify their operation without the need for an exploit.
The vulnerability represents a protocol parsing issue in an insecure-by-design protocol in building management devices. These devices typically manage Heating, Ventilation, and Air Conditioning (HVAC), door access controls, and fire suppression systems, among other building systems. Access to these types of building controllers can frequently result in misoperation of heating and air conditioning systems, although in practice systems have interlocks to prevent physical equipment damage.
Vulnerability in Detail
McAfee researcher Douglas McKee revealed a buffer overflow in a common building management controller from Delta Controls. The eBMGR is a combination BACnet gateway and BACnet-controllable system. Under the hood, the device runs an embedded Linux operating system with a service that operates with high privileges that is responsible for handling BACnet traffic.
The buffer overflow is fairly typical for a protocol library that has not been rigorously tested by an outsider. In this case, BACnet has a length field in the BVLC (BACnet Virtual Link Layer Control) header. The header is only four bytes long and contains a fixed byte set to 0x81, a one-byte Command code, and a two-byte big-endian unsigned integer representing length.
The actual BACnet standard specifies that the “length” field as stored in the BVLC header must be less than 1476 bytes. Including Ethernet, IP, and UDP headers, this allows for enough data to completely fill an Ethernet frame.
The attack uses a larger value, and the vulnerable code fails to sanitize the length field prior to a memcpy() call into a buffer that is only 1476 bytes large. What results is a basic memory corruption bug. In this case, McAfee was able to achieve full remote code execution (RCE) with the bug.
The exercise of achieving RCE against an embedded system in this way is fun, impressive, and oftentimes frustrating for the researcher to achieve.
While impressive, parsing vulnerabilities in protocols such as BACnet can also feel like a let-down in consideration of the protocol’s features. Most BACnet devices allow an attacker to join the party as what is called a Foreign Device. From there, an attacker can issue commands and manipulate HVAC controls. Most BACnet devices include output tags, which specify what, exactly, is being controlled by each of the outputs that may be manipulated. There is good reference material available to get started using freely-available tools.
Consequences of Exploitation
The data revealed by McAfee could allow an attacker to recreate a “crash” scenario where the BACnet service itself can be crashed but the rest of the controller services will continue operating. In this case, the device has a watchdog which reboots the controllers. Outputs are brought up in their last known state, and then the schedule or program for the building control is resumed. This could cause a brief misoperation in a building control system. For example if a “call for heat” signal was about to be terminated, and the device is crashed, heat may remain on for slightly longer than desired. If the attacker persists in crashing the controller, it may be possible to keep an output asserted indefinitely. Once the network connection is removed, however, operation should return to normal.
Theoretically, outputs failing like this would be riskiest to areas with sensitive equipment such as data centers, where an air handling system failing could cause computers to melt. Again, this scenario would require an attacker to persist in the attack.
In practice, end users should restrict access to BACnet controllers on UDP/47808. Ensure that only dedicated building management systems can access these HVAC systems. If your system is managed by an outside contractor, provide remote access using a VPN, and prevent the controller from accessing any corporate and control systems machinery. This will reduce the likelihood of a controller like this being used as a pivot point for attackers to fan out within a network.
Cyber Threat Alliance
McAfee shared this vulnerability with the Cyber Threat Alliance. As a result, vendors like Dragos were able to quickly incorporate IDS signatures into their platforms. Learn more about the CTA at https://www.cyberthreatalliance.org.
 Hacking Exposed: Industrial Control Systems — Bodungen, Singer, Shbeeb, Hilt, Wilhoit pp176-180