Severity:
High,
Medium
Advisory ID:
PN1558
Data pubblicazione:
March 26, 2021
Ultimo aggiornamento:
March 26, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2021-1452,
CVE-2021-1442,
CVE-2021-1443,
CVE-2021-1392,
CVE-2021-1403,
CVE-2021-1220,
CVE-2021-1352
Riepilogo
Stratix Switches Impacted by IOS and IOS XE Software Vulnerabilities
Revision History
Revision Number
1.0
Revision History
Version 1.0 - March 26, 2021. Initial release.
Executive Summary
Rockwell Automation received a report from Cisco regarding eight vulnerabilities in Stratix® switches. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, unauthorized privilege escalation, web socket hijacking, relative path traversal or command injection.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
| CVE ID | Affected Product Family | Affected Versions |
| CVE-2021-1392 | Stratix 5800 | 16.12.01 and earlier |
| Stratix 8000 Stratix 5700 Stratix 5410 Stratix 5400 | 15.2(7)E3 and earlier | |
| Stratix 8300 | All Versions | |
| CVE-2021-1403 | Stratix 5800 | 16.12.01 and earlier |
| CVE-2021-1352 | Stratix 5800 | 17.04.01 and earlier, if DECnet is enabled. |
| CVE-2021-1442 | Stratix 5800 | 16.12.01 and earlier |
| CVE-2021-1452 | Stratix 5800 | 16.12.01 and earlier |
| CVE-2021-1443 | Stratix 5800 | 17.04.01 and earlier |
| CVE-2021-1220 CVE-2021- 1356 | Stratix 5800 | 17.04.01 and earlier |
Vulnerability Details
CVE-2021-1392: IOS and IOS XE Software Common Industrial Protocol (CIP) Privilege Escalation Vulnerability
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.
CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.
CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.
CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.
Plug and Play is disabled after Express Setup has completed.
CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.
CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.
CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.
CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.
CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.
CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.
CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.
Plug and Play is disabled after Express Setup has completed.
CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.
CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.
CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.
CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Risk Mitigation & User Action
Customers using the affected Stratix devices are encouraged to update to an available firmware revision that addresses the associated risk.
Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
| CVE ID | Affected Product Family | Affected Firmware Versions | Suggested Actions |
| CVE-2021-1392 | Stratix 5800 | 16.12.01 and earlier | Apply version 17.04.01 or later. |
| Stratix 8000 Stratix 5700 Stratix 5410 Stratix 5400 | 15.2(7)E3 and earlier | Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed. | |
| Stratix 8300 | All Versions | Migrate to contemporary solution. | |
| CVE-2021-1403 | Stratix 5800 | 16.12.01 and earlier | Apply version 17.04.01 or later. |
| CVE-2021-1352 | Stratix 5800 | 17.04.01 and earlier, if DECnet is enabled. | If possible, disable DECnet protocol completely or on select interfaces. To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies. |
| CVE-2021-1442 | Stratix 5800 | 16.12.01 and earlier | Apply version 17.04.01 or later. |
| CVE-2021-1452 | Stratix 5800 | 16.12.01 and earlier | Apply version 17.04.01 or later. |
| CVE-2021-1443 | Stratix 5800 | 17.04.01 and earlier | Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed. |
| CVE-2021-1220 CVE-2021- 1356 | Stratix 5800 | 17.04.01 and earlier | Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Us proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources is blocked.
- Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Use trusted firmware, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715..
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Copyright ©2022 Rockwell Automation, Inc.