PN1045 | Stratix 5400/5410/5700/8000/8300 Denial of Service Vulnerabilities

Introduction

Description

Version 1.0 - April 4, 2019

Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included seven security advisories that affect Allen-Bradley® products. Five of these vulnerabilities affect the six Allen-Bradley Stratix® and ArmorStratix™ products listed in the Affected Products section below.

AFFECTED PRODUCTS

• Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches - all versions PRIOR to 15.2(4)EA7
• Allen-Bradley Stratix 5400 Industrial Ethernet Switches - v15.2(6)E0a and earlier
• Allen-Bradley Stratix 5410 Industrial Distribution Switches - v15.2(6)E0a and earlier
• Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches - v15.2(6)E0a and earlier
• Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches - v15.2(6)E0a and earlier
• Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments - v15.2(6)E0a and earlier

VULNERABILITY DETAILS

Vulnerability #1: Open Shortest Path First (OSPF v3) Denial of Service
A vulnerability in the Open Shortest Path First version 3 (OSPFv3) implementation in Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload.

The vulnerability is due to incorrect handling of specific OSPFv3 packets. An attacker could exploit this vulnerability by sending crafted OSPFv3 Link-State Advertisements (LSA) to an affected device. An exploit could allow the attacker to cause an affected device to reload, leading to a denial of service (DoS) condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ospfv3-dos.

CVE-2018-0466 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #2: Hypertext Transfer Protocol (HTTP) Denial of Service
A vulnerability in the web framework of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to the affected software improperly parsing malformed HTTP packets that are destined to a device. An attacker could exploit this vulnerability by sending a malformed HTTP packet to an affected device for processing. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected device, resulting in a DoS condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos.

CVE-2018-0470 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #3: Precision Time Protocol (PTP) Denial of Service
A vulnerability in the Precision Time Protocol (PTP) subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Precision Time Protocol.

The vulnerability is due to insufficient processing of PTP packets. An attacker could exploit this vulnerability by sending a custom PTP packet to, or through, an affected device. A successful exploit could allow the attacker to cause a DoS condition for the PTP subsystem, resulting in time synchronization issues across the network.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ptp.

CVE-2018-0473 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/.

Vulnerability #4: IPv6 Hop-by-Hop Options Denial of Service
A vulnerability in the IPv6 processing code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload.

The vulnerability is due to incorrect handling of specific IPv6 hop-by-hop options. An attacker could exploit this vulnerability by sending a malicious IPv6 packet to or through the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition on an affected device.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipv6hbh.

CVE-2018-0467 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #5: Software Cisco Discovery Protocol Denial of Service
A vulnerability in the implementation of Cisco Discovery Protocol functionality in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper memory handling by the affected software when the software processes high rates of Cisco Discovery Protocol packets that are sent to a device. An attacker could exploit this vulnerability by sending a high rate of Cisco Discovery Protocol packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-dos.

CVE-2018-15373 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

GENERAL SECURITY GUIDELINES

1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
2. Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
3. Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used Rockwell Automation® products, see Knowledgebase Article ID 898270.
4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

REVISION HISTORY

KCS Status