Rockwell Automation Stratix 5100 (Update A)

Risk Summary

Successful exploitation of this vulnerability may allow the attacker to operate as a man-in-the-middle between the device and the wireless network.

CVEs (1)

Remediations

• Rockwell Automation recommends that all users patch the clients that connect to the Stratix 5100 WAP/WGB, and recommends contacting a supplier to get the most updated compatible patch. However, patching the client only protects the connection formed by that specific client. In order to protect all future clients, Rockwell Automation recommends patching the Stratix 5100 WAP/WGB when the firmware is available.
• After further investigation, Rockwell Automation has determined that since the vulnerability affects Stratix 5100 access points with 802.11r enabled and 802.11r is not fully supported on the Stratix 5100 WAP/WGB, access-point users are not affected by this vulnerability and patching the Stratix 5100 WAP/WGB is not required when the device is operating as an access point. To verify that 802.11r is disabled, please refer to this Knowledgebase Article ID 1068007. Rockwell still suggests that users refer to manufacturers of their connected wireless client devices for suggested patch procedures.
• As new versions of firmware are released to remediate this vulnerability, Rockwell Automation will provide mitigation updates in their advisory. For more information about this vulnerability, mitigation updates, and Rockwell Automation's general security guidelines, please see Rockwell Automation's security advisory found at the following link. A login is required to view the advisory.https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1066697 Rockwell Automation also offers the following general security guidelines:
• Use trusted software, software patches, anti-virus/anti-malware programs, and interact only with trusted websites and attachments.
• Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port 2222 and Port 44818 using proper network infrastructure controls, such as firewalls, unified threat management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledge base Article ID 898270.
• Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

Affected Vendors

Affected Products (1)

Affected Sectors

Critical Manufacturing, Energy, Water and Wastewater Systems