Rockwell Automation Stratix and ArmorStratix Switches

Act NowCVSS 9.8ICS-CERT ICSA-18-107-04Apr 17, 2018

Rockwell AutomationManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple memory corruption, input validation, and format string vulnerabilities exist in Allen-Bradley Stratix 5400, 5410, 5700, 8000 and ArmorStratix 5700 industrial Ethernet switches running firmware 15.2(6)E0a and earlier. These affect the device management interface and Smart Install feature. Successful exploitation can cause memory exhaustion, module restart, information corruption, or information disclosure. The vulnerabilities are actively being exploited. The vulnerabilities include CWE-20 (improper input validation), CWE-119 (improper buffer handling), and CWE-134 (use of externally-controlled format strings).

What this means

What could happen

An attacker can remotely crash these industrial Ethernet switches, corrupt device memory, or extract sensitive information without authentication. This causes loss of network connectivity to critical equipment on the manufacturing floor, halting operations until the switch is manually rebooted and reconfigured.

Who's at risk

Manufacturing facilities operating Allen-Bradley Stratix 5400, 5410, 5700, 8000, and ArmorStratix 5700 industrial Ethernet switches in any environment. These devices connect to PLCs, sensors, and control systems on the factory floor. Utilities with automated substations or control centers using Rockwell Automation equipment are also affected.

How it could be exploited

An attacker on the network sends specially crafted packets to the switch's management interface or leverages the Smart Install feature (enabled by default on some upgraded devices) via TCP port 4786 to execute code or consume memory, causing the switch to restart or become unresponsive.

Prerequisites

Network access to the switch management IP address (typically port 22 for SSH, port 80/443 for HTTP/HTTPS)
For Smart Install vulnerabilities: TCP port 4786 must be reachable if Smart Install is enabled
No valid credentials required for some attack vectors

Remotely exploitable without authenticationLow attack complexityActively exploited in the wild (KEV)High exploit probability (93% EPSS)No patch available for affected versionsDefault credentials or insecure defaults (Smart Install enabled on upgraded devices)

Exploitability

Actively exploited — confirmed by CISA KEV

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Allen-Bradley Stratix 5400 Industrial Ethernet Switches:≤ 15.2(6)E0a15.2(6)E1+

Allen-Bradley Stratix 5410 Industrial Distribution Switches:≤ 15.2(6)E0a15.2(6)E1+

Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches:≤ 15.2(6)E0a15.2(6)E1+

Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches:≤ 15.2(6)E0a15.2(6)E1+

Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments:≤ 15.2(6)E0a15.2(6)E1+

Remediation & Mitigation

0/6

Do now

0/3

HOTFIXUpgrade all affected Stratix and ArmorStratix switches to firmware FRN 15.2(6)E1 or later

WORKAROUNDDisable Smart Install feature using 'no vstack' configuration command if the feature is not required or after initial setup is complete

WORKAROUNDIf Smart Install must remain enabled, implement access control lists (ACLs) to block incoming traffic on TCP port 4786 from untrusted networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGDeploy Snort IDS rules (46096, 46097, 41725, 46120, 46104, 46119, 46110) from Cisco to detect exploitation attempts against the known vulnerabilities

HARDENINGIsolate industrial Ethernet switch management interfaces behind a firewall and restrict access to engineering workstations only

HARDENINGEnsure Stratix and ArmorStratix switches are not directly accessible from the corporate network or Internet

CVEs (8)

CVE-2018-0171 CVE-2018-0156 CVE-2018-0174 CVE-2018-0172 CVE-2018-0173 CVE-2018-0158 CVE-2018-0167 CVE-2018-0175

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4a3d0787-ee7c-4564-9e21-3c03dcf61d55

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.