Rockwell Automation Stratix 5400/5410/5700 and ArmorStratix 5700
Monitor6.8ICS-CERT ICSA-19-094-02Apr 4, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The Stratix 5400, 5410, 5700 and ArmorStratix 5700 switches contain a vulnerability in how they handle network requests over the EtherNet/IP protocol (CIP). An unauthenticated remote attacker can send a specially crafted packet to the switch, triggering a memory leak condition. As memory is consumed, the device eventually reloads to recover, causing a temporary loss of network connectivity on all ports of that switch. This affects all firmware versions prior to 15.2(6)E2a.
What this means
What could happen
An unauthenticated attacker on the network can trigger a memory leak on Stratix switches, causing them to reload and interrupt industrial communications. While the reload itself may be temporary, repeated attacks could degrade control network availability.
Who's at risk
Water and electric utilities that use Allen-Bradley Stratix 5400, 5410, 5700, or ArmorStratix 5700 managed industrial Ethernet switches for manufacturing or control system networks. These switches are commonly deployed in process automation, SCADA networks, and industrial control system environments where switch availability is critical to continuous operations.
How it could be exploited
An attacker sends a crafted network packet to the affected Stratix switch over the network. The switch processes the malformed request, which causes a memory leak in the device firmware. As memory is exhausted, the device automatically reloads to clear the condition, disrupting network connectivity until it comes back online.
Prerequisites
- Network reachability to the Stratix switch on TCP port 2222 or UDP port 44818 (EtherNet/IP/CIP protocol ports)
- No credentials or authentication required
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for all affected versionsAffects network infrastructure (availability risk)
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Allen-Bradley Stratix 5400: All< 15.2(6)E2a15.2(6)E2a
Allen-Bradley Stratix 5410: All< 15.2(6)E2a15.2(6)E2a
Allen-Bradley Stratix 5700: All< 15.2(6)E2a15.2(6)E2a
Allen-Bradley ArmorStratix 5700: All< 15.2(6)E2a15.2(6)E2a
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDBlock or restrict access to TCP and UDP ports 2222 and 44818 using firewall rules to limit which networks can reach the Stratix switches
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade to firmware version 15.2(6)E2a or later on all affected Stratix switches
Long-term hardening
0/2HARDENINGIsolate control system networks and Stratix switches behind firewalls, ensuring they are not directly reachable from the corporate network or internet
HARDENINGMinimize network exposure by ensuring Stratix switches are not accessible from the internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e46d5840-ec89-446f-9c75-a5a6e333f42c