Rockwell Automation Stratix Devices Containing Cisco IOS

Plan PatchCVSS 8.8ICS-CERT ICSA-22-300-03Oct 27, 2022

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation Stratix network switches contain multiple vulnerabilities in embedded Cisco IOS that could allow code execution and denial-of-service. The vulnerabilities stem from improper input validation, weak authentication handling, and path traversal flaws (CWE-863, CWE-20, CWE-22). Stratix 5800 switches running firmware prior to v17.04.01 are vulnerable to all identified flaws. Stratix 5400/5410 switches running firmware prior to v15.2(7)E2 are vulnerable to CVE-2020-3200. No public exploit code is currently available.

What this means

What could happen

An attacker with network access could execute code on Stratix switches or cause them to stop functioning, disrupting network connectivity for control systems in water treatment plants, power generation, or substations.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Rockwell Automation Stratix 5400, 5410, or 5800 network switches for control system connectivity are affected. Stratix switches provide Layer 2/Layer 3 connectivity for PLCs, RTUs, and field devices in SCADA and distributed control systems.

How it could be exploited

An attacker with valid network credentials and access to the switch management interface could exploit authentication or input validation flaws in Cisco IOS to run arbitrary commands or crash the device, potentially isolating control system networks.

Prerequisites

Network access to the Stratix device management interface (SSH, Telnet, or HTTP)
Valid user credentials for device authentication
Device running vulnerable Cisco IOS firmware version

remotely exploitablerequires valid credentialsaffects network infrastructure serving safety systemslow exploit probability (EPSS 1.3%)

Exploitability

Some exploitation risk — EPSS score 1.3%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Rockwell Automation Stratix Devices: <16.12.01<16.12.01No fix yet

Rockwell Automation Stratix Devices: <15.2{7}E2<15.2{7}E2No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to Stratix device management interfaces using firewall rules or access control lists

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Stratix 5800 switches to firmware v17.04.01 or later

HOTFIXUpdate Stratix 5400/5410 switches to firmware v15.2(7)E2 or later for CVE-2020-3200

HARDENINGDisable unnecessary management protocols (Telnet, HTTP) and use SSH only for remote access

Long-term hardening

0/1

HARDENINGSegment control system networks from business networks and ensure switches are not reachable from the Internet

CVEs (9)

CVE-2020-3229 CVE-2020-3219 CVE-2021-1446 CVE-2020-3200 CVE-2020-3211 CVE-2020-3218 CVE-2020-3209 CVE-2021-1385 CVE-2020-3516

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eb798b44-2d24-46fa-921e-d56cf1e0090e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.