Rockwell Automation Stratix and ArmorStratix Switches
Act Now9.8ICS-CERT ICSA-18-107-04Apr 17, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple memory corruption, input validation, and format string vulnerabilities exist in Allen-Bradley Stratix 5400, 5410, 5700, 8000 and ArmorStratix 5700 industrial Ethernet switches running firmware 15.2(6)E0a and earlier. These affect the device management interface and Smart Install feature. Successful exploitation can cause memory exhaustion, module restart, information corruption, or information disclosure. The vulnerabilities are actively being exploited. The vulnerabilities include CWE-20 (improper input validation), CWE-119 (improper buffer handling), and CWE-134 (use of externally-controlled format strings).
What this means
What could happen
An attacker can remotely crash these industrial Ethernet switches, corrupt device memory, or extract sensitive information without authentication. This causes loss of network connectivity to critical equipment on the manufacturing floor, halting operations until the switch is manually rebooted and reconfigured.
Who's at risk
Manufacturing facilities operating Allen-Bradley Stratix 5400, 5410, 5700, 8000, and ArmorStratix 5700 industrial Ethernet switches in any environment. These devices connect to PLCs, sensors, and control systems on the factory floor. Utilities with automated substations or control centers using Rockwell Automation equipment are also affected.
How it could be exploited
An attacker on the network sends specially crafted packets to the switch's management interface or leverages the Smart Install feature (enabled by default on some upgraded devices) via TCP port 4786 to execute code or consume memory, causing the switch to restart or become unresponsive.
Prerequisites
- Network access to the switch management IP address (typically port 22 for SSH, port 80/443 for HTTP/HTTPS)
- For Smart Install vulnerabilities: TCP port 4786 must be reachable if Smart Install is enabled
- No valid credentials required for some attack vectors
Remotely exploitable without authenticationLow attack complexityActively exploited in the wild (KEV)High exploit probability (93% EPSS)No patch available for affected versionsDefault credentials or insecure defaults (Smart Install enabled on upgraded devices)
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
Allen-Bradley Stratix 5400 Industrial Ethernet Switches:≤ 15.2(6)E0a15.2(6)E1 or later
Allen-Bradley Stratix 5410 Industrial Distribution Switches:≤ 15.2(6)E0a15.2(6)E1 or later
Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches:≤ 15.2(6)E0a15.2(6)E1 or later
Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches:≤ 15.2(6)E0a15.2(6)E1 or later
Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments:≤ 15.2(6)E0a15.2(6)E1 or later
Remediation & Mitigation
0/6
Do now
0/3HOTFIXUpgrade all affected Stratix and ArmorStratix switches to firmware FRN 15.2(6)E1 or later
WORKAROUNDDisable Smart Install feature using 'no vstack' configuration command if the feature is not required or after initial setup is complete
WORKAROUNDIf Smart Install must remain enabled, implement access control lists (ACLs) to block incoming traffic on TCP port 4786 from untrusted networks
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGDeploy Snort IDS rules (46096, 46097, 41725, 46120, 46104, 46119, 46110) from Cisco to detect exploitation attempts against the known vulnerabilities
HARDENINGIsolate industrial Ethernet switch management interfaces behind a firewall and restrict access to engineering workstations only
HARDENINGEnsure Stratix and ArmorStratix switches are not directly accessible from the corporate network or Internet
CVEs (8)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4a3d0787-ee7c-4564-9e21-3c03dcf61d55