Rockwell Automation Stratix Denial-of-Service and Memory Leak Vulnerabilities
Act Now9.9ICS-CERT ICSA-16-287-04Jul 17, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple denial-of-service and memory leak vulnerabilities exist in Allen-Bradley Stratix and ArmorStratix industrial Ethernet switches. The vulnerabilities stem from improper input validation (CWE-20) and information exposure (CWE-209, CWE-693) in the switch management interfaces. An attacker can send malformed packets to trigger DoS conditions or leak memory contents. Affected products: Stratix 5400, 5410, 5700, 8000, and ArmorStratix 5700 switches running firmware version 15.24EA3 and earlier. No firmware patch is currently available.
What this means
What could happen
An attacker with network access to these switches could trigger denial-of-service conditions that disrupt plant communications or cause memory leaks that degrade performance over time. Information disclosure is also possible through the memory leak vulnerability.
Who's at risk
Manufacturing facilities that depend on Rockwell Automation industrial Ethernet switches (Stratix 5400, 5410, 5700, 8000, and ArmorStratix 5700) for plant-wide communications. This includes any facility using these switches as backbone or distribution switches in their OT network. Water utilities and electric cooperatives with Rockwell-based SCADA networks are also at risk if these switches are deployed.
How it could be exploited
An attacker on the network sends specially crafted packets to the Ethernet switch's management interface. The switch fails to properly validate the input (CWE-20), causing a denial-of-service condition that crashes the switch or makes it unresponsive. The same malformed input can also leak sensitive memory contents to the attacker.
Prerequisites
- Network access to the switch management interface (typically port 22, 80, or 443)
- No authentication required for exploitation
remotely exploitableno authentication requiredlow complexityno patch availableaffects network backbone infrastructure
Exploitability
Moderate exploit probability (EPSS 9.1%)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
Allen-Bradley Stratix 5400 Industrial Ethernet Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)
Allen-Bradley Stratix 5410 Industrial Distribution Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)
Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)
Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)
Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches: <=15.24EA3≤ 15.24EA3No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGImplement network segmentation to restrict access to switch management interfaces from trusted engineering and IT networks only
HARDENINGDeploy firewall rules to block unauthorized access to switch management ports (SSH, HTTP, HTTPS) from non-administrative networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
WORKAROUNDDisable remote management on switches if not required for operations and enable local-only management via console access
HOTFIXContact Rockwell Automation for patch availability and timeline for these critical vulnerabilities
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Allen-Bradley Stratix 5400 Industrial Ethernet Switches: <=15.24EA3, Allen-Bradley Stratix 5410 Industrial Distribution Switches: <=15.24EA3, Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches: <=15.24EA3, Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches: <=15.24EA3, Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches: <=15.24EA3. Apply the following compensating controls:
HARDENINGMonitor switch logs and system status for signs of DoS attacks or memory exhaustion
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3d23f261-f835-4f65-9b58-9b94259653eb