Introduction
Description
Version 1.0 - June 23, 2016
On May 13, 2016, Cisco disclosed a vulnerability in their Industrial Ethernet 4000 and 5000 Series switches. This vulnerability also impacts the Allen-Bradley Stratix® 5400 Industrial Ethernet Switches and the Allen-Bradley Stratix® 5410 Industrial Distribution Switches containing particular versions of IOS firmware. The discovered vulnerability is remotely exploitable and may allow an attacker to corrupt a subsequent packet traversing the device. At this time, both Rockwell Automation and Cisco are unaware of any publicly available exploit code.
Customers using affected versions of this software are encouraged to upgrade to the newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
- Stratix 5400, Versions 15.2(2)EA1, 15.2(2)EA2
- Stratix 5410, Versions 15.2(2)EB
No other Rockwell Automation Stratix products are currently known to be affected by this vulnerability. Stratix 5400 and Stratix 5410 Switches running any versions other than those listed above are not affected by this vulnerability.
To determine if your Stratix 5400 switch or Stratix 5410 switch is using the above firmware, please refer to KB55484: Upgrading or verifying Stratix Firmware.
VULNERABILITY DETAILS
A vulnerability in the packet processing microcode of Stratix 5400 and Stratix 5410 switches could allow an unauthenticated, remote attacker to corrupt packets enqueued on the device for further processing.
The vulnerability is due to improper processing of some Internet Control Message Protocol ("ICMP") IPv4 packets. An attacker could exploit this vulnerability by sending ICMP IPv4 packets to an affected device. A successful exploit could allow an attacker to corrupt the packet enqueued for transmission immediately after the anomalous packet. This may impact control traffic to the device itself (Address Resolution Protocol (ARP) traffic) or traffic transiting the device.
Cisco’s product security disclosure for their Industrial Ethernet 4000 and 5000 Series switches is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160513-ies
A CVSS v3 base score of 5.8 has been assigned to this vulnerability by Rockwell Automation. The CVSS v3 vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N).
CUSTOMER RISK MITIGATIONS AND REMEDIATION
Customers using affected versions of the Stratix 5400 and Stratix 5410 software are encouraged to upgrade to the newest available versions that address associated risk with this vulnerability. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Upgrade affected products per the table below:
Product Hardware Series Mitigations Stratix 5400 Industrial Ethernet Switches Series A Apply version 15.2(4)EA3 or newer (Download) Stratix 5410 Industrial Distribution Switches Series A Apply version 15.2(4)EA3 or newer (Download)
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
ADDITIONAL LINKS
KCS Status
