Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700

Plan Patch8.6ICS-CERT ICSA-19-094-03Apr 4, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Buffer overflow and memory exhaustion vulnerabilities in Rockwell Automation Stratix and ArmorStratix managed industrial Ethernet switches allow denial-of-service and time synchronization issues. The vulnerabilities exist in packet handling for EtherNet/IP and CIP protocols (ports 2222 and 44818) and can be triggered without authentication. Successful exploitation causes device reload, loss of network connectivity, or memory exhaustion. Affected products range from Stratix 5400 through 8300 series.

What this means

What could happen

An attacker on the network could trigger a denial-of-service condition by causing the managed switch to reload, stop responding, or exhaust memory, which would disrupt communication between PLCs, RTUs, and control systems. Time synchronization issues could also cascade across dependent industrial devices.

Who's at risk

Water utilities and municipal electric systems that use Allen-Bradley Stratix managed industrial switches (5400, 5410, 5700, 8000, 8300 series and ArmorStratix 5700) as network backbone or edge switches in the manufacturing zone. Any facility using these switches to interconnect PLCs, RTUs, or SCADA systems is at risk.

How it could be exploited

An attacker with network access to the switch can send a malformed packet or sequence of packets to trigger a buffer overflow or memory exhaustion condition via EtherNet/IP or CIP protocols. The switch reloads or becomes unresponsive, dropping all managed network traffic downstream.

Prerequisites

Network access to the Stratix switch on ports 2222 (TCP/UDP) or 44818 (TCP/UDP)
No authentication required; vulnerabilities are in packet parsing before credential check

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for devices at end-of-lifeCauses denial of service on critical network infrastructureAffects industrial control system availability

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Allen-Bradley Stratix 5400: All≤ 15.2(6)E0a15.2(6)E2a

Allen-Bradley Stratix 5410: All≤ 15.2(6)E0a15.2(6)E2a

Allen-Bradley Stratix 5700: All≤ 15.2(6)E0a15.2(6)E2a

Allen-Bradley ArmorStratix 5700: All≤ 15.2(6)E0a15.2(6)E2a

Allen-Bradley Stratix 8000: All≤ 15.2(6)E0a15.2(6)E2a

Allen-Bradley Stratix 8300: All< 15.2(4)EA715.2(4)EA7

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDBlock inbound traffic on TCP and UDP ports 2222 and 44818 from outside the manufacturing zone using firewall or network appliance rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Stratix 5400, 5410, 5700, and ArmorStratix 5700 to firmware version 15.2(6)E2a or later

HOTFIXUpgrade Stratix 8300 to firmware version 15.2(4)EA7 or later

HARDENINGReview and enable access control lists and deep packet inspection on the switch if supported by firmware version

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate manufacturing zone from business network; restrict EtherNet/IP traffic at network boundaries

CVEs (5)

CVE-2018-0466 CVE-2018-0470 CVE-2018-0473 CVE-2018-0467 CVE-2018-15373

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c2c13fe3-6545-4431-8fcf-e557efdd9260