OTPulse
FeedAboutContact

Rockwell Automation Stratix 5950

Act Now8.6ICS-CERT ICSA-19-094-04Apr 4, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in the Allen-Bradley Stratix 5950 network switch allows a remote attacker to cause the device to reload (denial of service). The vulnerability exists in how the device processes certain network traffic and is related to improper input validation (CWE-20). IPsec is disabled by default, and Rockwell Automation recommends not using IPsec VPN connections and applying network-level controls to restrict access to EtherNet/IP protocols.

What this means
What could happen
An attacker with network access to a Stratix 5950 switch could send malformed traffic that forces the device to reload, disrupting network connectivity to all connected control devices and causing temporary loss of production visibility and control until the switch recovers.
Who's at risk
Water authorities and electric utilities using Allen-Bradley Stratix 5950 network switches for industrial control system connectivity should care. These switches are commonly deployed in manufacturing and utility automation networks to connect PLCs, RTUs, and engineering workstations. A device reload causes temporary loss of network access to all downstream control and monitoring devices.
How it could be exploited
An attacker on the network sends specially crafted packets to the Stratix 5950 switch. The device fails to properly validate the packet contents, triggering a reload. This could be accomplished remotely without credentials if the attacker has any network path to the device (e.g., from an engineering workstation or compromised PC on the plant network).
Prerequisites
  • Network access to the Stratix 5950 switch from within the plant network or from the Internet if the device is internet-routable
  • No authentication required to send malformed packets to the device
remotely exploitableno authentication requiredlow complexityhigh EPSS score (14.9%)no patch availableaffects network connectivity to safety-critical devices
Exploitability
High exploit probability (EPSS 14.9%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Allen-Bradley Stratix 5950: 1783-SAD2T2SBK91783-SAD2T2SBK9No fix (EOL)
Allen-Bradley Stratix 5950: 1783-SAD4T0SBK91783-SAD4T0SBK9No fix (EOL)
Allen-Bradley Stratix 5950: 1783-SAD4T0SPK91783-SAD4T0SPK9No fix (EOL)
Allen-Bradley Stratix 5950: 1783-SAD2T2SPK91783-SAD2T2SPK9No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGDo not use IPsec VPN connections on Stratix 5950 devices (LAN-to-LAN, remote-access, or L2TP-over-IPsec)
HARDENINGDeploy firewalls or network access control lists to block all inbound traffic to TCP/UDP ports 2222 and 44818 (EtherNet/IP and CIP protocols) from outside the manufacturing zone
HARDENINGRestrict network access to Stratix 5950 management interfaces using access control lists or deep packet inspection
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Allen-Bradley Stratix 5950: 1783-SAD2T2SBK9, Allen-Bradley Stratix 5950: 1783-SAD4T0SBK9, Allen-Bradley Stratix 5950: 1783-SAD4T0SPK9, Allen-Bradley Stratix 5950: 1783-SAD2T2SPK9. Apply the following compensating controls:
HARDENINGEnsure the Stratix 5950 is not directly accessible from the Internet; isolate it within the plant network behind firewalls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/bc0ff29e-fd05-41c8-a051-0d316d4abc8a
Rockwell Automation Stratix 5950 | CVSS 8.6 - OTPulse