Rockwell Automation Allen-Bradley Stratix and ArmorStratix

Risk Summary

ATTENTION: Remotely exploitable/low skill level to exploit

CVEs (1)

Remediations

• According to Rockwell Automation, multiple Cisco Systems, Inc. vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of Cisco IO and IOS XE software have been identified which affect certain products in the Allen-Bradley Stratix and ArmorStratix product lines.
• For more information about the SNMP vulnerabilities identified by Cisco, see their advisory
• Rockwell Automation recommends users of affected products consult the suggestions below and, when possible, employ multiple strategies to mitigate their risk
• For the Stratix 8300 Product Family, Catalog Numbers 1783-RMS, Rockwell Automation suggests updating to v15.2(4a)EA5 or later.
• Rockwell Automation has provided interim compensating controls for the remaining Allen-Bradley Stratix and ArmorStratix switches to help reduce the risk of exploitation of these vulnerabilities. Rockwell Automation encourages users to evaluate the compensating controls provided below and apply the possible mitigations.
• Disable the following Management Information Bases (MIBs) on a device, if they are installed/active on the Stratix device
• Stratix 8000, 8300, 5700, 5400, 5410: CISCO-MAC-AUTH-BYPASS-MIB
• Stratix 5900: ADSL-LINE-MIB
• Stratix 5900: CISCO-ADSL-DMT-LINE-MIB
• Stratix 5900: CISCO-BSTUN-MIB
• Stratix 5900: CISCO-MAC-AUTH-BYPASS-MIB
• Stratix 5900: CISCO-VOICE-DNIS-MIB
• Details on how to use the Command Line Interface to disable or limit access to SNMP or individual MIBs can be found at Knowledgebase Article ID 1055391. A login is required to view the article.
• Note: The Stratix device may not have all of the MIBs installed/active.
• If SNMP is required, use strong SNMP v3 credentials since this attack requires authentication.
• Cisco Talos, Cisco's threat intelligence organization, has created the following Snort rules (SIDs): 43424, 43425, 43426, 43427, 43428, 43429, 43430, 43431, 43432 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within the network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - “Balanced Security and Connectivity”, “Connectivity over Security,” and “Secure over Connectivity.”
• Use proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. Firewalls will not block requests from compromised but authorized sources.
• As new versions of firmware are released to remediate this vulnerability, Rockwell Automation will provide mitigation updates in their advisory. For more information about these vulnerabilities, mitigation updates, and Rockwell Automation's general security guidelines, please see Rockwell Automation's security advisory found at the following link. A login is required to view the advisory.

Affected Vendors

Affected Products (6)

Affected Sectors

Critical Manufacturing, Energy, and Water and Wastewater Systems