Rockwell Automation Stratix 5100 (Update A)

Monitor6.9ICS-CERT ICSA-17-299-02Oct 26, 2017

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Vulnerability in Rockwell Automation Stratix 5100 wireless access point and workgroup bridge devices with firmware < 15.3(3) JC1 allows an attacker with wireless network access to perform man-in-the-middle attacks on client connections when 802.11r fast roaming is enabled. This could allow the attacker to intercept or modify wireless communications between clients and the access point.\n\nRockwell notes that 802.11r is not fully supported on the Stratix 5100, so access-point users operating without 802.11r enabled are not affected and do not require patching. However, wireless client devices that connect to the Stratix 5100 should be patched by their respective manufacturers. A firmware patch for the Stratix 5100 itself will be released in version 15.3(3) JC1 or later when available.

What this means

What could happen

An attacker with network access to the wireless network could intercept communications between wireless clients and the Stratix 5100 device, potentially reading or modifying data transmitted between them. This affects the integrity and confidentiality of wireless communications in your plant network.

Who's at risk

Organizations using Rockwell Automation Stratix 5100 wireless access points or workgroup bridges (particularly in manufacturing, utility automation, and critical infrastructure) that have wireless clients connecting to these devices. This affects any site using the Stratix 5100 as a central wireless component in plant network architecture.

How it could be exploited

An attacker positioned within or near the wireless network (adjacent network access) could perform a man-in-the-middle attack on clients connecting to the Stratix 5100 wireless access point or workgroup bridge. The attack exploits how the device handles the 802.11r fast roaming protocol, allowing the attacker to intercept traffic between clients and the access point.

Prerequisites

Wireless access to the Stratix 5100 network or adjacent network access
Stratix 5100 must have firmware version < 15.3(3) JC1
802.11r must be enabled on the device (though 802.11r is not fully supported on this model)
Vulnerable wireless client devices must be connected to the Stratix 5100

Requires adjacent network access (physically close to wireless network)Affects wireless confidentiality and integrityNo patch currently available from vendorPotential to impact multiple connected clients

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

Stratix 5100:< 15.3(3) JC1No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDVerify that 802.11r is disabled on the Stratix 5100 device (refer to Knowledgebase Article ID 1068007). If 802.11r is disabled, the access point is not affected and patching is not required.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXPatch all wireless client devices that connect to the Stratix 5100 with the latest compatible patches from the client manufacturers. Contact your wireless client device vendors for available updates.

HOTFIXApply Stratix 5100 firmware version 15.3(3) JC1 or later when it becomes available from Rockwell Automation or your supplier.

CVEs (1)

CVE-2017-13082

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/784eebe8-a6c4-4d04-9aa4-2747363d1936