Rockwell Automation Allen-Bradley Stratix 5950

Monitor6.7ICS-CERT ICSA-20-072-03Mar 12, 2020

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the Rockwell Automation Allen-Bradley Stratix 5950 network switch allows an attacker with high-level administrative credentials or physical access to write a modified firmware image to the device. Successful exploitation could give an attacker control over network traffic and device behavior. Four model variants (1783-SAD4T0SBK9, 1783-SAD2T2SPK9, 1783-SAD2T2SBK9, 1783-SAD4T0SPK9) are affected. CWE-284 (Improper Access Control).

What this means

What could happen

An attacker with high-level local access could write a malicious firmware image to the Stratix 5950 network switch, potentially taking control of network traffic and disrupting communication between control systems and field devices.

Who's at risk

Water authorities and electric utilities that use Rockwell Automation Allen-Bradley Stratix 5950 managed network switches in their control networks. The Stratix 5950 typically connects PLCs, RTUs, and field devices in critical infrastructure environments. Unauthorized firmware modification could disrupt communication across the entire control network.

How it could be exploited

An attacker would need local (physical or remote privileged) access to the device and the ability to write to the firmware storage. This typically requires valid high-privilege credentials or physical console access to load and execute a modified firmware image on the switch.

Prerequisites

High-privilege (administrative) credentials or physical console access to the Stratix 5950
Ability to upload or write firmware to the device
Local network access to the device management interface

no patch available (for affected model variants)requires high-privilege credentialslow complexity exploitaffects network infrastructure controlling field devices

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

4 pending

ProductAffected VersionsFix Status

Allen-Bradley Stratix 5950: 1783-SAD4T0SBK91783-SAD4T0SBK9No fix yet

Allen-Bradley Stratix 5950: 1783-SAD2T2SPK91783-SAD2T2SPK9No fix yet

Allen-Bradley Stratix 5950: 1783-SAD2T2SBK91783-SAD2T2SBK9No fix yet

Allen-Bradley Stratix 5950: 1783-SAD4T0SPK91783-SAD4T0SPK9No fix yet

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDRestrict network access to the Stratix 5950 by blocking or filtering TCP and UDP traffic on ports 2222 and 44818 at the firewall or network edge

HARDENINGPlace the Stratix 5950 in a physically secure location with restricted access

HARDENINGApply the principle of least privilege—limit administrative access to only personnel who need it

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Stratix 5950 firmware to version FRN v6.4.0 or later

HARDENINGImplement access control lists (ACLs) on the switch to restrict who can access management interfaces

Long-term hardening

0/1

HARDENINGEnsure the device is isolated from the business network and only reachable from authorized administrative workstations

CVEs (1)

CVE-2019-1649

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/11a9b02b-14cb-4e8e-ae93-274e224275ee