PN991 | Stratix SNMP Packet Remote Code Execution Vulnerabilities

Introduction

Description

Version 1.1 - November 2, 2017
Version 1.0 - July 27, 2017

Cisco Systems, Inc. ("Cisco") has reported that multiple vulnerabilities exist in the Simple Network Management Protocol ("SNMP") subsystem of Cisco IOS and IOS XE software that, if successfully exploited, can allow an authenticated, remote attacker to execute code on an affected device or cause an affected device to crash and reload. Allen‑Bradley® Stratix® and ArmorStratix™ Industrial Ethernet switch products and the Stratix 5900 Services Router contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet switches for real-time control and information sharing on a common network infrastructure.

According to Cisco, these vulnerabilities are remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.

UPDATE: NOVEMBER 2, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

For support on how to determine which version of Stratix firmware is on your device, please see Knowledgebase Article ID 55484.

All Versions 15.2(5)EA.fc4 and earlier
• Allen‑Bradley Stratix 5400 Industrial Ethernet Switches
• Allen‑Bradley Stratix 5410 Industrial Distribution Switches
• Allen‑Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
• Allen‑Bradley Stratix 8000 Modular Managed Ethernet Switches

All Versions 15.2(4)EA and earlier
• Stratix 8300 Modular Managed Ethernet Switches

All Versions 15.6(3)M1 and earlier
• Allen‑Bradley Stratix 5900 Services Router

VULNERABILITY DETAILS

Multiple vulnerabilities exist in the SNMP subsystem of Cisco IOS and IOS XE software that could allow an authenticated, remote attacker to execute code on an affected system or cause an affected system to reload by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

The vulnerabilities affect all versions of SNMP. To exploit these vulnerabilities via SNMP version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities in SNMP version 3, the attacker must authenticate their identity with user credentials for the affected system.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Rockwell Automation will update this advisory as new versions of firmware are released that remediate this vulnerability. Until then, Rockwell Automation recommends that customers using affected products consult the suggestions below and employ multiple strategies to mitigate their risk when possible.

1. Disable the following Management Information Bases (MIBs) on a device, if they are installed/active on your Stratix device:
   Stratix 8000, 8300, 5700, 5400, 5410
   CISCO-MAC-AUTH-BYPASS-MIB
   Stratix 5900
   ADSL-LINE-MIB
   CISCO-ADSL-DMT-LINE-MIB
   CISCO-BSTUN-MIB
   CISCO-MAC-AUTH-BYPASS-MIB
   CISCO-VOICE-DNIS-MIB
   
   Details on how to use the Command Line Interface to disable or limit access to SNMP or individual MIBs can be found at Knowledgebase Article ID 1055391.
   Note: Your Stratix device may not have all of the MIBs installed/active.
2. If SNMP is required, use strong SNMP v3 credentials since this attack requires authentication.
3. Cisco Talos, Cisco’s threat intelligence organization, has created the following Snort rules (SIDs): 43424, 43425, 43426, 43427, 43428, 43429, 43430, 43431, 43432 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.
4. Use proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. Firewalls will not block requests from compromised, but authorized sources.

GENERAL SECURITY GUIDELINES

1. If available, use product-specific features, such as a keyswitch setting, to block unauthorized changes, etc. Consult the product documentation for the availability and usage of these features.
2. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
3. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
4. Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• Cisco: SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software
• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

REVISION HISTORY

KCS Status