ICSA-18-107-03_Rockwell Automation Stratix Services Router

Act NowCVSS 9.8ICS-CERT ICSA-18-107-03Apr 17, 2018

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation's Stratix 5900 Services Router contains multiple input validation and buffer overflow vulnerabilities (CVE-2018-0151, CVE-2018-0167, CVE-2018-0175, and others) derived from the underlying Cisco IOS/IOS XE codebase. These vulnerabilities allow an attacker to send specially crafted packets to trigger remote code execution, denial of service, or information disclosure without authentication. The affected Stratix 5900 with firmware version 15.6.3M1 and earlier has no patch available from Rockwell Automation.

What this means

What could happen

An attacker on the network could execute arbitrary code on the Stratix 5900 router without authentication, potentially disrupting communications between your control network and remote sites or causing the router to stop passing traffic to field devices.

Who's at risk

Water utilities and electric utilities that use Stratix 5900 routers to connect remote substations, pump stations, or RTUs to the main control center are affected. The vulnerability threatens devices that rely on the Stratix 5900 for secure communications and network routing in critical infrastructure environments.

How it could be exploited

An attacker sends a specially crafted network packet to the Stratix 5900 router over the internet or from within your network. The router processes the malformed packet without validating its contents, allowing the attacker to execute commands directly on the device and take control of its routing and firewall functions.

Prerequisites

Network reachability to the Stratix 5900 router (remotely exploitable; no credentials required)
No special configuration required; default settings are vulnerable

Remotely exploitable from the internetNo authentication requiredLow attack complexityActively exploited (KEV)High EPSS score (14.6%)No patch availableCritical CVSS score (9.8)

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Allen-Bradley Stratix 5900 Services Router:≤ 15.6.3M1No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate the Stratix 5900 from direct internet access—place it behind a firewall and do not expose it to untrusted networks

HARDENINGDeploy network access controls to restrict traffic destined to the Stratix 5900 to only authorized administrators and control network sources

WORKAROUNDIf your facility does not use the Adaptive QoS for DMVPN feature, block all inbound traffic to UDP port 18999 at the firewall or apply Control Plane Policing (CoPP) rules to deny traffic to that port on the Stratix 5900 itself

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXMonitor the Rockwell Automation knowledge base article 1073313 for firmware updates or vendor guidance; contact your Rockwell Automation representative to determine if a patched firmware version is available for your deployment

HARDENINGDeploy Cisco Snort IDS rules 46110 and 46111 on your network monitoring infrastructure to detect exploitation attempts

Mitigations - no patch available

0/1

Allen-Bradley Stratix 5900 Services Router: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment your control network from the business network to limit exposure of the Stratix 5900 to non-essential traffic

CVEs (4)

CVE-2018-0158 CVE-2018-0151 CVE-2018-0167 CVE-2018-0175

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/646f2cb8-91fd-4b2e-9ca7-4727c1f680f4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.