Loading

PN1558 | Stratix Switches Impacted by IOS and IOS XE Software Vulnerabilities

Severity:
High,
Medium
Advisory ID:
PN1558
Published Date:
March 26, 2021
Last Updated:
March 26, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2021-1452,
CVE-2021-1442,
CVE-2021-1443,
CVE-2021-1392,
CVE-2021-1403,
CVE-2021-1220,
CVE-2021-1352
Summary
Stratix Switches Impacted by IOS and IOS XE Software Vulnerabilities

Revision History
Revision Number
1.0
Revision History
Version 1.0 - March 26, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Cisco regarding eight vulnerabilities in Stratix® switches. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, unauthorized privilege escalation, web socket hijacking, relative path traversal or command injection.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CVE ID Affected Product Family Affected Versions





CVE-2021-1392

Stratix 5800

16.12.01 and earlier

Stratix 8000
Stratix 5700
Stratix 5410
Stratix 5400


15.2(7)E3 and earlier

Stratix 8300

All Versions
CVE-2021-1403 Stratix 5800 16.12.01 and earlier
CVE-2021-1352 Stratix 5800 17.04.01 and earlier, if DECnet is enabled.
CVE-2021-1442 Stratix 5800 16.12.01 and earlier
CVE-2021-1452 Stratix 5800 16.12.01 and earlier
CVE-2021-1443 Stratix 5800 17.04.01 and earlier
CVE-2021-1220
CVE-2021- 1356
Stratix 5800 17.04.01 and earlier

Vulnerability Details

CVE-2021-1392: IOS and IOS XE Software Common Industrial Protocol (CIP) Privilege Escalation Vulnerability
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.

CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.

CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.

CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.

Plug and Play is disabled after Express Setup has completed.

CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.

CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.

CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.

CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected Stratix devices are encouraged to update to an available firmware revision that addresses the associated risk.

Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
CVE ID Affected Product Family Affected Firmware Versions Suggested Actions





CVE-2021-1392

Stratix 5800

16.12.01 and earlier
Apply version 17.04.01 or later.

Stratix 8000
Stratix 5700
Stratix 5410
Stratix 5400


15.2(7)E3 and earlier
Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.

Stratix 8300

All Versions
Migrate to contemporary solution.
CVE-2021-1403 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1352 Stratix 5800 17.04.01 and earlier, if DECnet is enabled. If possible, disable DECnet protocol completely or on select interfaces.


To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies.

CVE-2021-1442 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1452 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1443 Stratix 5800 17.04.01 and earlier Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.
CVE-2021-1220
CVE-2021- 1356
Stratix 5800 17.04.01 and earlier Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.

General Security Guidelines


Network-based Vulnerability Mitigations for Embedded Products
  • Us proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources is blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Software/PC-based Mitigation Strategies
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Mitigations
  • Use trusted firmware, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715..
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation Home
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose