Published Date: 10/17/2023
Last updated: 02/14/2024
Revision Number: 2.0
Revision History: Updated Corrected in firmware revision
CVSS Score: 10/10
Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of the time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed. While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer. This advisory will be updated, as remediation steps become available.
REVISION 1.1 UPDATE
Since publication of the original disclosure, the exploit code has become publicly available. Availability of exploit code reduces the technical barriers for threat actors to target the affected devices. Rockwell Automation has no evidence of active exploitation against the Stratix® product line currently. This advisory has been updated to include specific steps to take to create access control measures utilizing the Web UI. Rockwell Automation strongly encourages customers to follow the mitigation guidelines.
REVISION 2.0 UPDATE
Rockwell Automation has released a software update that remediates the vulnerabilities in the affected products. We strongly recommend customers update to the corrected firmware revision as soon as possible.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First known in firmware revision |
Corrected in Firmware Revision |
Stratix® 5200, 5800 |
All versions running Cisco IOS XE Software with the Web UI feature enabled |
17.12.02 |
VULNERABILITY DETAILS
CVE-2023-20198 IMPACT
Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVSS Base Score: 10/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Known Exploited Vulnerability (KEV) database: Yes
CVE-2023-20273 IMPACT
Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability could allow an authenticated, remote threat actor to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. A threat actor could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the threat actor to inject commands to the underlying operating system with root privileges.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVSS Base Score: 7.2/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Known Exploited Vulnerability (KEV) database: Yes
Mitigations and Workarounds
Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.
- To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
- Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.
REVISION 1.1 UPDATE
- Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device. Detailed instructions on how to create the Access Control List is in QA67053.
- When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.
ADDITIONAL RESOURCES
