ICSA-21-110-02_Rockwell Automation Stratix Switches

CVEs (7)

Remediations

• Rockwell Automation encourages users of the affected Stratix devices to update to an available firmware revision that addresses the associated risk.
• Stratix 5800: Apply Version 17.04.01 or later. If possible, disable DECnet protocol completely or on select interfaces.
• Stratix 8300: Migrate to contemporary solution.
• All versions, including Stratix 8000, Stratix 5700, Stratix 5410, Stratix 5400: Confirm the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.
• Please see the Rockwell Automation security advisory for more detailed information.
• Where a fix is not yet available, users who are unable to update are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.
• Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
• Use proper network infrastructure controls, such as firewalls, to help confirm traffic from unauthorized sources is blocked.
• Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
• Confirm the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
• Use trusted firmware, antivirus/antimalware programs and interact only with trusted websites and attachments.
• Minimize network exposure for all control system devices and/or systems and confirm they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
• Locate control system networks and devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize a VPN is only as secure as the connected devices.

Affected Vendors

Affected Products (5)