PN946 | Stratix® Denial of Service Vulnerabilities

Introduction

Description

Version 1.1 - April 26, 2017

UPDATE: April 26, 2017 - Further investigation has confirmed that the Stratix 8300® platform is also affected by these vulnerabilities. Stratix 8300 is a family of modular managed Ethernet switches. Affected versions of Stratix 8300, including mitigations to deploy for affected customers, are provided below.

On September 28, 2016, Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included ten security advisories detailing eleven vulnerabilities. Contained in these ten advisories are five vulnerabilities that impact the following Allen‑Bradley Stratix® and ArmorStratix™ products:

• 26-APR-2017 Update: Allen‑Bradley® Stratix 8300® Modular Managed Ethernet Switches
• Allen‑Bradley® Stratix 5400® Industrial Ethernet Switches
• Allen‑Bradley® Stratix 5410® Industrial Distribution Switches
• Allen‑Bradley® Stratix 5700® Industrial Managed Ethernet Switches
• Allen‑Bradley® Stratix 8000® Modular Managed Ethernet Switches
• Allen‑Bradley® ArmorStratix™ 5700 Industrial Managed Ethernet Switches for extreme environments

These discovered vulnerabilities are remotely exploitable and can allow attackers to affect the availability of the vulnerable modules if an attack is successful. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

• 26-APR-2017 Update: Stratix 8300
  Version 15.2(4)EA and earlier
• Stratix 5400, Stratix 5410, Stratix 5700, Stratix 8000, ArmorStratix 5700
  Version 15.2(4)EA3 and earlier

Updates for all affected products are now available, and linked in the table provided. Stratix product firmware versions not listed above are not affected by these vulnerabilities.

VULNERABILITY DETAILS

Vulnerability #1: AAA Authentication Fail Denial of Service
A vulnerability in the Authentication, Authorization, and Accounting (AAA) service for remote Secure Shell Host (SSH) connections to the device could allow an unauthenticated, remote attacker to cause the vulnerable device to reload.

This vulnerability is a result of an error log message that is shown when a remote SSH connection to the device fails AAA authentication. Upon failure, the remote SSH attacker receives the previously configured banner which can be used to authenticate the targeted device. A successful attack could result in a Denial of Service (DoS) condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-aaados

A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2016-6393 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerabilities #2 and #3: Software Multicast Routing Denial of Service Vulnerabilities
Two vulnerabilities were discovered in the multicast subsystem of Cisco’s IOS and IOS XE Software, allowing for unauthenticated, remote attackers to create a DoS condition.

The first vulnerability is in the Multicast Source Discovery Protocol (MDSP) that could allow an unauthenticated, remote attacker to cause the affected device to reload. This vulnerability is due to insufficient checking of MSDP Source-Active (SA) messages received from a configured MSDP peer. If an attacker can send traffic to the Internet Protocol version 4 ("IPv4") address of an affected device, a maliciously-crafted packet would trigger the issue. A successful exploit could cause the affected device to restart.

The second vulnerability is due to insufficient checking of packets encapsulated in a Protocol Independent Multicast (PIM) register message. An attacker who is able to send Internet Protocol version 6 ("IPv6") register packets can create a malformed packet to send to a PIM rendezvous point in order to exploit this vulnerability. A successful exploit could cause the affected device to restart.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp

CVE-2016-6382 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: DNS Forwarder Denial of Service and Information Corruption
A vulnerability exists in the Domain Name System ("DNS") forwarder functionality in the software that could allow an unauthenticated, remote attacker to cause the device to restart or corrupt the information existing in the device’s local DNS cache, or read part of the process memory.

The vulnerability is due to a flaw in handling crafted DNS response messages. An attacker could utilize this vulnerability by intercepting and crafting a DNS response message to a client DNS query that was forwarded from the affected device to a DNS server. A successful attack could cause the device to reload, which is a DoS, or corrupt the information on the local DNS cache.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns

CVE-2016-6380 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H.

Vulnerability #5: Software Smart Install Memory Leak Denial of Service
A vulnerability in the Smart Install client feature could allow an unauthenticated, remote attacker to cause a memory leak and an eventual DoS condition on the affected device.

This vulnerability is due to incorrect handling of image list parameters. To exploit this vulnerability, an attacker could send crafted Smart Install packets to Transmission Control Protocol ("TCP") port 4786. A successful attack could cause the switch to leak memory and eventually reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi

CVE-2016-6385 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Currently, there is no publicly available exploit code relating to any of these vulnerabilities.

RISK MITIGATIONS

Customers using affected versions of these Stratix products are encouraged to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

1. Update the affected products per the table below:

   Product Family	Affected Versions	Updates Available
   Stratix 5400 Industrial Ethernet Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
   Stratix 5410 Industrial Distribution Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
   Stratix 5700 Industrial Managed Ethernet Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
   Stratix 8000 Modular Managed Ethernet Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
   ArmorStratix 5700 Industrial Managed Ethernet Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
   28-APR-2017 Update: Stratix 8300 Module Managed Ethernet Switches	All Prior to 15.2(4a)EA5	Apply FRN 15.2(4a) EA5 or later (Download)

2. Cisco has offered workarounds for those vulnerabilities that are applicable. Where possible these can be applied alongside the upgrade in software version (above) to further mitigate risk of exposure.

   Vulnerability	Workaround (if available)	Other Notes
   #1: AAA Authentication DoS	The AAA Failed-Login Banner can be removed via the command no aaa authentication fail-message.	AAA Failed-Login Banner needs to be configured and SSH used for a remote connection to the device in order to exploit the vulnerability. To check if AAA is configured, use the show running-config include aaa command to check the AAA configuration and verify that it returns output.
   #2 and #3: Multicast Routing DoS	There are no workarounds for either vulnerability	N/A
   #4: DNS Forwarder DoS and Info Corruption	There are no workarounds that address this vulnerability.	N/A
   #5: Software Smart Install Memory Leak	There are no workarounds other than disabling the Smart Install feature. This can be done on some versions of firmware with the "no vstack" global configuration command.	To determine whether a device is configured with the Smart Install client feature, use the command show vstack config. If the output is Role: Client, then this confirms that the feature is enabled on the device.

3. Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked.
4. Use trusted software, software patches, antivirus/anti-malware programs and interact only with trusted web sites and attachments.
5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
6. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
8. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on Rockwell Automation’s Vulnerability Management process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on the Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory using the Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

REVISION HISTORY

KCS Status