Deep Dive into an ICS Firewall, Looking for the Fire Hole

Conference:  BlackHat USA 2018



The presentation discusses the evaluation of the Tofino Xenon case, a firewall designed to protect industrial control systems (ICS) from cyber threats. The evaluation aims to determine the effectiveness of the equipment in protecting ICS systems and to identify any vulnerabilities within the firewall itself.
  • ICS security is a growing concern due to the increasing threat of cyber attacks on critical systems
  • Dedicated firewalls like Tofino Xenon have been developed to address this problem by filtering industrial control protocols
  • The evaluation methodology involved reverse engineering the equipment, obtaining root shell on the appliance, and analyzing the firewall internals and attack surface
  • The Tofino Xenon firewall is designed to be transparent and have minimal impact on existing systems
  • The filtering is done at two levels: classic network parameters and ICS-oriented content inspection
  • The presentation identifies vulnerabilities in the firewall (CVE-2017-11400, CVE-2017-11401, and CVE-2017-11402) and discusses their impact and potential attack scenarios
  • The evaluation results were responsibly disclosed to the vendor who issued a framework to fix the vulnerabilities
ICS security is a serious concern as malfunctions of these systems can have significant impacts on people working in the fields and the downtime costs are very high. However, stopping the system to apply patches is not always feasible. Dedicated firewalls like Tofino Xenon have been developed to address this dilemma by filtering network packets to protect vulnerable ICS systems. The evaluation of Tofino Xenon involved reverse engineering the equipment and analyzing its attack surface to identify vulnerabilities. The results were responsibly disclosed to the vendor who issued a framework to fix the vulnerabilities.


Industrial control systems (ICS) security has become a serious concern over the past years. Indeed, threat to ICS systems has become reality and real world attacks have been observed. Many systems driving critical functions cannot be stopped to receive security upgrades, protecting those very sensitive assets is thus a tough challenge.As ICS security market is growing fast, dedicated firewalls have appeared to address this problem by inspecting and filtering industrial control protocols. But what are those solutions worth? Are they really different from standard network firewalls? What are exactly their attack surfaces and what kind of bugs may we find there?We propose to answer those questions on the Tofino Xenon case. We will present a methodology we used to reverse engineer equipment which uses a custom and encrypted administration protocol and has fully encrypted firmware. From reverse engineering a rich client to obtaining root shell on the appliance. Then we will cover the firewall internals, the attack surface it offers and the security features it provides to vulnerable ICS equipments. Finally, we will present the vulnerabilities we found (CVE-2017-11400, CVE-2017-11401 and CVE-2017-11402), their impact and the attack scenarios to exploit them.