ICSA-18-107-03_Rockwell Automation Stratix Services Router
Act Now9.8ICS-CERT ICSA-18-107-03Apr 17, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Rockwell Automation's Stratix 5900 Services Router contains multiple input validation and buffer overflow vulnerabilities (CVE-2018-0151, CVE-2018-0167, CVE-2018-0175, and others) derived from the underlying Cisco IOS/IOS XE codebase. These vulnerabilities allow an attacker to send specially crafted packets to trigger remote code execution, denial of service, or information disclosure without authentication. The affected Stratix 5900 with firmware version 15.6.3M1 and earlier has no patch available from Rockwell Automation.
What this means
What could happen
An attacker on the network could execute arbitrary code on the Stratix 5900 router without authentication, potentially disrupting communications between your control network and remote sites or causing the router to stop passing traffic to field devices.
Who's at risk
Water utilities and electric utilities that use Stratix 5900 routers to connect remote substations, pump stations, or RTUs to the main control center are affected. The vulnerability threatens devices that rely on the Stratix 5900 for secure communications and network routing in critical infrastructure environments.
How it could be exploited
An attacker sends a specially crafted network packet to the Stratix 5900 router over the internet or from within your network. The router processes the malformed packet without validating its contents, allowing the attacker to execute commands directly on the device and take control of its routing and firewall functions.
Prerequisites
- Network reachability to the Stratix 5900 router (remotely exploitable; no credentials required)
- No special configuration required; default settings are vulnerable
Remotely exploitable from the internetNo authentication requiredLow attack complexityActively exploited (KEV)High EPSS score (14.6%)No patch availableCritical CVSS score (9.8)
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
Allen-Bradley Stratix 5900 Services Router:≤ 15.6.3M1No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3HARDENINGIsolate the Stratix 5900 from direct internet access—place it behind a firewall and do not expose it to untrusted networks
HARDENINGDeploy network access controls to restrict traffic destined to the Stratix 5900 to only authorized administrators and control network sources
WORKAROUNDIf your facility does not use the Adaptive QoS for DMVPN feature, block all inbound traffic to UDP port 18999 at the firewall or apply Control Plane Policing (CoPP) rules to deny traffic to that port on the Stratix 5900 itself
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXMonitor the Rockwell Automation knowledge base article 1073313 for firmware updates or vendor guidance; contact your Rockwell Automation representative to determine if a patched firmware version is available for your deployment
HARDENINGDeploy Cisco Snort IDS rules 46110 and 46111 on your network monitoring infrastructure to detect exploitation attempts
Mitigations - no patch available
0/1Allen-Bradley Stratix 5900 Services Router: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment your control network from the business network to limit exposure of the Stratix 5900 to non-essential traffic
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/646f2cb8-91fd-4b2e-9ca7-4727c1f680f4