Rockwell Automation Stratix Denial-of-Service and Memory Leak Vulnerabilities

Plan PatchCVSS 9.9ICS-CERT ICSA-16-287-04Jul 17, 2016

Rockwell AutomationManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple denial-of-service and memory leak vulnerabilities exist in Allen-Bradley Stratix and ArmorStratix industrial Ethernet switches. The vulnerabilities stem from improper input validation (CWE-20) and information exposure (CWE-209, CWE-693) in the switch management interfaces. An attacker can send malformed packets to trigger DoS conditions or leak memory contents. Affected products: Stratix 5400, 5410, 5700, 8000, and ArmorStratix 5700 switches running firmware version 15.24EA3 and earlier. No firmware patch is currently available.

What this means

What could happen

An attacker with network access to these switches could trigger denial-of-service conditions that disrupt plant communications or cause memory leaks that degrade performance over time. Information disclosure is also possible through the memory leak vulnerability.

Who's at risk

Manufacturing facilities that depend on Rockwell Automation industrial Ethernet switches (Stratix 5400, 5410, 5700, 8000, and ArmorStratix 5700) for plant-wide communications. This includes any facility using these switches as backbone or distribution switches in their OT network. Water utilities and electric cooperatives with Rockwell-based SCADA networks are also at risk if these switches are deployed.

How it could be exploited

An attacker on the network sends specially crafted packets to the Ethernet switch's management interface. The switch fails to properly validate the input (CWE-20), causing a denial-of-service condition that crashes the switch or makes it unresponsive. The same malformed input can also leak sensitive memory contents to the attacker.

Prerequisites

Network access to the switch management interface (typically port 22, 80, or 443)
No authentication required for exploitation

remotely exploitableno authentication requiredlow complexityno patch availableaffects network backbone infrastructure

Exploitability

Some exploitation risk — EPSS score 9.1%

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

Allen-Bradley Stratix 5400 Industrial Ethernet Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)

Allen-Bradley Stratix 5410 Industrial Distribution Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)

Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)

Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)

Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGImplement network segmentation to restrict access to switch management interfaces from trusted engineering and IT networks only

HARDENINGDeploy firewall rules to block unauthorized access to switch management ports (SSH, HTTP, HTTPS) from non-administrative networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable remote management on switches if not required for operations and enable local-only management via console access

HOTFIXContact Rockwell Automation for patch availability and timeline for these critical vulnerabilities

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Allen-Bradley Stratix 5400 Industrial Ethernet Switches: <=15.24EA3, Allen-Bradley Stratix 5410 Industrial Distribution Switches: <=15.24EA3, Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches: <=15.24EA3, Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches: <=15.24EA3, Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches: <=15.24EA3. Apply the following compensating controls:

HARDENINGMonitor switch logs and system status for signs of DoS attacks or memory exhaustion

CVEs (4)

CVE-2016-6393 CVE-2016-6382 CVE-2016-6380 CVE-2016-6385

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3d23f261-f835-4f65-9b58-9b94259653eb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.