ICSA-21-110-02_Rockwell Automation Stratix Switches

Plan Patch7.8ICS-CERT ICSA-21-110-02Apr 20, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation Stratix network switches contain multiple vulnerabilities (CWE-522, CWE-345, CWE-823, CWE-532, CWE-78, CWE-77, CWE-20) affecting local and remote users. These include improper access control, insecure credential storage, buffer overflows, and command injection issues. Affected versions include Stratix 5400, 5410, 5700, 8000 (all ≤15.2(7)E3) and Stratix 5800 (≤16.12.01). The vulnerabilities allow authenticated local users to gain elevated privileges and execute arbitrary code on the switch.

What this means

What could happen

An authenticated user with local or remote access to an affected Stratix switch could execute arbitrary commands with elevated privileges, potentially allowing them to alter switch configuration, intercept network traffic, or disrupt operations of connected control systems. Stratix switches are often the primary network backbone in industrial plants, and compromise could affect multiple processes or entire facility operations.

Who's at risk

Water utilities, electric utilities, manufacturing plants, and other industrial sites that deploy Stratix switches as primary network infrastructure. This affects engineers and operators who have legitimate accounts on these switches, as well as any attacker who gains credentials (e.g., through phishing, credential theft, or weak password practices). Stratix switches often handle critical process network traffic; compromise could disrupt SCADA systems, RTUs, and other connected control devices.

How it could be exploited

An attacker with valid credentials (engineering workstation account or operator account) could connect to the switch via SSH or console access. Once authenticated, the attacker could exploit one of the command injection or buffer overflow vulnerabilities (CWE-78, CWE-823) to break out of restricted shell environments and gain root-level access, then modify switch configuration or introduce persistence mechanisms.

Prerequisites

Valid user account on the switch (engineering workstation login, operator account, or service account)
Local console access or remote SSH access to the switch management interface
Knowledge of at least one of the command injection or buffer overflow attack vectors (details not disclosed in advisory)

No patch available for most affected modelsMultiple vulnerability types (command injection, buffer overflow, credential storage)Affects network backbone equipment with broad operational impactRequires valid credentials but no network segmentation can fully eliminate insider risk

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (5)

1 with fix4 EOL

ProductAffected VersionsFix Status

Stratix 5400:≤ 15.2(7)E3No fix (EOL)

Stratix 5410:≤ 15.2(7)E3No fix (EOL)

Stratix 5700:≤ 15.2(7)E3No fix (EOL)

Stratix 8000:≤ 15.2(7)E3No fix (EOL)

Stratix 5800:≤ 16.12.0117.04.01

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDStratix 5800 only: Disable DECnet protocol on all interfaces or the entire switch if DECnet is not required for plant operations

HARDENINGAll Stratix models: Implement strict role-based access control on the switch; grant user and service accounts only the minimum command set and resource access needed for their role (least-privilege principle)

HARDENINGAll Stratix models: Restrict SSH and console access to the switch management interface using firewall rules; allow access only from authorized engineering workstations on a dedicated management VLAN

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXStratix 5800 only: Update to firmware version 17.04.01 or later

HOTFIXStratix 8300 only: Plan migration to a contemporary Cisco switch model that receives active security updates; coordinate with engineering to minimize plant downtime

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Stratix 5400:, Stratix 5410:, Stratix 5700:, Stratix 8000:. Apply the following compensating controls:

HARDENINGAll Stratix models: Segment the control network so that Stratix switches and attached devices are not directly accessible from the corporate or Internet-facing network

HARDENINGIf remote access to the switch is required for maintenance, use a VPN with multi-factor authentication and keep the VPN software updated

CVEs (7)

CVE-2021-1392 CVE-2021-1403 CVE-2021-1352 CVE-2021-1442 CVE-2021-1452 CVE-2021-1443 CVE-2021-1220

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a178284-4edc-411b-bcc1-ab0ffefe7699