ICSA-18-107-05_Rockwell Automation Stratix Industrial Managed Ethernet Switch

Act Now8.8ICS-CERT ICSA-18-107-05Apr 17, 2018

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation Stratix 8300 Industrial Managed Ethernet Switches contain multiple remote code execution vulnerabilities inherited from Cisco IOS/IOS XE Software, including Smart Install vulnerabilities (CVE-2018-0171, CVE-2018-0156), BFD vulnerabilities (CVE-2018-0155), and LLDP vulnerabilities (CVE-2018-0167, CVE-2018-0175). These vulnerabilities allow unauthenticated attackers on the adjacent network to execute arbitrary code with high impact on confidentiality, integrity, and availability.

What this means

What could happen

An attacker on your plant network could gain complete control of the Stratix switch, potentially disrupting network connectivity for all connected PLCs, sensors, and control devices, or stealing sensitive process data and device configurations.

Who's at risk

Manufacturing facilities and utilities operating Rockwell Automation Stratix 8300 Industrial Managed Ethernet Switches. This switch is commonly used as a core network device connecting all PLCs, remote I/O, motor drives, and other industrial devices. Compromise of the switch can cascade to impact all downstream control systems.

How it could be exploited

An attacker with access to your plant network (adjacent network segment) could send specially crafted packets to the switch's Smart Install feature (port 4786), BFD feature, or LLDP packets to trigger remote code execution without needing any credentials or authentication. Once the switch is compromised, the attacker could inspect, modify, or intercept all network traffic flowing through it.

Prerequisites

Network access to the Stratix switch from the same network segment or adjacent network
Smart Install feature enabled on the switch (enabled by default on upgraded switches not re-setup)
No authentication required

Remotely exploitableNo authentication requiredLow complexityActively exploited (KEV)No patch available for affected versionAffects network infrastructure for entire industrial plant

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Allen-Bradley Stratix 8300 Industrial Managed Ethernet Switches:≤ 15.2(4a)EA5No fix (EOL)

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDDisable Smart Install feature by running 'no vstack' configuration command if not actively used for device provisioning

WORKAROUNDBlock incoming traffic on TCP port 4786 (Smart Install) at the network edge or plant firewall if Smart Install must remain enabled

WORKAROUNDDisable BFD feature by running 'feature bfd disable' in global configuration mode if not required for network operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Rockwell Automation knowledge base article 1073315 for future firmware updates addressing these vulnerabilities

Mitigations - no patch available

0/3

Allen-Bradley Stratix 8300 Industrial Managed Ethernet Switches: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement Control Plane Policing (CoPP) to restrict BFD packet processing to known BFD peers only if BFD must remain enabled

HARDENINGDeploy Snort rules 46096, 46097, 41725, 46120, 46104, and 46119 on network IDS/IPS systems to detect exploitation attempts

HARDENINGVerify Stratix switches are isolated behind plant firewall and not directly accessible from Internet or business network

CVEs (1)

CVE-2018-0167

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/32966c10-a576-437f-a4c6-cbdbd02b507b