Executive Summary
Cisco Systems, Inc. (Cisco) released an advisory regarding a vulnerability in the logic that handles access control to a hardware component in Cisco’s proprietary Secure Boot implementation. If successfully exploited, an attacker could write a modified firmware image to the component. The Allen-Bradley® Stratix® 5950 utilizes Cisco’s proprietary Secure Boot implementation.
Customers using affected versions of this product are encouraged to evaluate the mitigations provided below and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.
Affected Products
Allen-Bradley Stratix 5950 Security Appliance:
- 1783-SAD4T0SBK9
- 1783-SAD4T0SPK9
- 1783-SAD2T2SBK9
- 1783-SAD2T2SPK9
Vulnerability Details
CVE-2019-1649: Cisco Secure Boot Hardware Tampering
A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write their own modified firmware image to the affected component.
The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system running on the affected device could utilize this vulnerability to write a modified firmware image to the FPGA. A successful exploit could cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image.
The security disclosure from Cisco regarding their Secure Boot implementation is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot.
CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.
Update the affected products per the table below:
| Vulnerability | Product | Suggested Actions |
| CVE-2019-1649 | Stratix 5950 Security Appliance
| Apply FRN v6.4.0 (Download) |
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
- Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
Additional Links
