OTPulse
FeedAboutContact

Rockwell Automation Allen-Bradley Stratix and ArmorStratix

Act Now8.8ICS-CERT ICSA-17-208-04Jul 27, 2017
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A buffer overflow vulnerability exists in Rockwell Automation Stratix and ArmorStratix managed Ethernet switches (models 5400, 5700, 5900, 8000, 8300 series, all firmware versions through 15.2(5)EA.fc4). An authenticated user with access to the switch management interface can send malformed input that overflows a memory buffer, allowing arbitrary code execution with switch-level privileges. This enables an attacker to intercept, modify, or disrupt network traffic carrying control signals between PLCs, HMIs, and field devices. The vulnerability is remotely exploitable and actively being exploited in the wild (KEV status). No firmware patch has been released by Rockwell Automation, and the vendor has not announced a timeline for remediation.

What this means
What could happen
An authenticated user with local network access could execute arbitrary code on Stratix and ArmorStratix switches, allowing an attacker to modify network traffic, intercept communications, or disable critical network connectivity in your plant.
Who's at risk
Manufacturing plants, utilities, and other critical infrastructure using Rockwell Automation Stratix or ArmorStratix managed Ethernet switches for plant network infrastructure. This affects all models in the 5400, 5700, 5900, 8000, and 8300 series that connect and control production equipment, PLCs, and field devices.
How it could be exploited
An attacker with credentials for the switch management interface (or who can intercept weak credentials on the local network) can send specially crafted packets to the switch. The switch fails to properly validate input, allowing the attacker to overflow a memory buffer and inject executable code that runs with switch privileges.
Prerequisites
  • Valid management credentials for the switch (admin or engineering account)
  • Network access to the switch management interface (port 22 SSH or web interface port 80/443)
  • No address space layout randomization (ASLR) mitigations in place on the switch
actively exploited (KEV)remotely exploitablehigh CVSS score (8.8)high EPSS score (89%)no patch availablelow skill level to exploitaffects network infrastructure (impacts all connected devices)
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (6)
1 pending5 EOL
ProductAffected VersionsFix Status
Allen-Bradley Stratix 5700 and ArmorStratixâ„¢ 5700 Industrial Managed Ethernet Switches: All≤ 15.2(5)EA.fc4No fix yet
Allen-Bradley Stratix 5900 Services Router: All≤ 15.2(5)EA.fc4No fix (EOL)
Stratix 8300 Modular Managed Ethernet Switches: All≤ 15.2(5)EA.fc4No fix (EOL)
Allen-Bradley Stratix 5400 Industrial Ethernet Switches: All≤ 15.2(5)EA.fc4No fix (EOL)
Allen-Bradley Stratix 8000 Modular Managed Ethernet Switche: All≤ 15.2(5)EA.fc4No fix (EOL)
Allen-Bradley Stratix 5410 Industrial Distribution Switches: All≤ 15.2(5)EA.fc4No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3
HARDENINGImplement network segmentation: restrict management access to Stratix switches to a dedicated engineering VLAN or jump host. Use firewall rules to block direct access from non-engineering networks.
WORKAROUNDDisable remote management (SSH, web interface) on all Stratix switches not requiring it. Enable it only on switches that need remote engineering access.
HARDENINGChange all default and factory-set credentials on Stratix switches to strong, unique passwords. Enforce password complexity policies.
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGEnable strong authentication (certificate-based or multi-factor) for management access if the switch firmware supports it.
HARDENINGMonitor switch management interfaces for unauthorized login attempts. Configure logging and alerts.
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Allen-Bradley Stratix 5900 Services Router: All, Stratix 8300 Modular Managed Ethernet Switches: All, Allen-Bradley Stratix 5400 Industrial Ethernet Switches: All, Allen-Bradley Stratix 8000 Modular Managed Ethernet Switche: All, Allen-Bradley Stratix 5410 Industrial Distribution Switches: All. Apply the following compensating controls:
HARDENINGContact Rockwell Automation for long-term patch timeline or replacement strategy, as no fix is currently available for these products.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b85d204c-a683-4f83-9a19-7765013d1f51