Rockwell Automation Allen-Bradley Stratix 5950

Act NowCVSS 8.6ICS-CERT ICSA-18-184-01Jul 3, 2018

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Stratix 5950 industrial switch contains certificate validation bypass and denial-of-service vulnerabilities. An attacker can bypass client certificate checks to establish unauthorized connections to the device, or cause it to crash by exceeding its connection handling limits. The issues stem from improper input validation (CWE-20), incomplete certificate verification (CWE-295), and inadequate resource management (CWE-841). Rockwell Automation has not released firmware patches; the company is still developing corrections and will notify users when available. The underlying issues are embedded in the switch's firmware and cannot be patched by configuration changes alone.

What this means

What could happen

An attacker with network access to a Stratix 5950 switch could bypass certificate validation and establish unauthorized connections, or remotely crash the device, disrupting network connectivity to critical control system equipment.

Who's at risk

Water utilities and municipal electric providers using Stratix 5950 switches (part of Rockwell Automation's FactoryTalk or control network infrastructure) to manage network connectivity for PLCs, remote I/O, and safety systems. This switch is commonly deployed as a layer 2/3 backbone for plant networks in substations and water treatment facilities.

How it could be exploited

An attacker on the network sends specially crafted connection requests to the Stratix 5950 switch on its management port. The device fails to properly validate client certificates, allowing the attacker to either establish unauthorized management connections or send repeated requests that exhaust the device's connection handling capacity, causing it to crash.

Prerequisites

Network access to the Stratix 5950 management interface
Device must be connected to a network reachable from the attacker's position
No valid credentials or authentication required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (94.4%)no patch availableaffects network critical infrastructure

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (4 repositories)

Affected products (4)

4 pending

ProductAffected VersionsFix Status

Allen-Bradley Stratix 5950: 1783-SAD4T0SBK91783-SAD4T0SBK9No fix yet

Allen-Bradley Stratix 5950: 1783-SAD2T2SPK91783-SAD2T2SPK9No fix yet

Allen-Bradley Stratix 5950: 1783-SAD4T0SPK91783-SAD4T0SPK9No fix yet

Allen-Bradley Stratix 5950: 1783-SAD2T2SBK91783-SAD2T2SBK9No fix yet

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate Stratix 5950 switches from direct Internet exposure; place behind firewalls and segment from business network

HARDENINGImplement network access controls to restrict which systems can reach the switch management port

WORKAROUNDMonitor Stratix 5950 for certificate validation errors and unexplained crashes

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply firmware updates as soon as Rockwell Automation releases them

CVEs (5)

CVE-2018-0228 CVE-2018-0227 CVE-2018-0231 CVE-2018-0240 CVE-2018-0296

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/95ce5d31-e1e1-4468-9052-e41e2c0944b1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.