Introduction
Description
Version 1.0 - April 4, 2019
Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This publication includes seven security advisories. One of these vulnerabilities affects the four Allen‑Bradley® Stratix® and ArmorStratix™ products, which are listed in the Affected Products section below.
AFFECTED PRODUCTS
- Allen‑Bradley Stratix 5400 Industrial Ethernet Switches - all versions PRIOR to 15.2(6)E2a
- Allen‑Bradley Stratix 5410 Industrial Distribution Switches - all versions PRIOR to 15.2(6)E2a
- Allen‑Bradley Stratix 5700 Industrial Managed Ethernet Switches - all versions PRIOR to 15.2(6)E2a
- Allen‑Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments - all versions PRIOR to 15.2(6)E2a
VULNERABILITY DETAILS
Software Plug and Play Agent Memory Leak Vulnerability
A vulnerability in the Cisco Network Plug and Play agent, also referred to as the Cisco Open Plug-n-Play agent, of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device.
The vulnerability is due to insufficient input validation by the affected software. An attacker could exploit this vulnerability by sending invalid data to the Cisco Network Plug and Play agent on an affected device. A successful exploit could allow the attacker to cause a memory leak on the affected device, which could cause the device to reload.
The product security disclosure from Cisco for their IOS and IOS XE software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-pnp-memleak.
CVE-2018-15377 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Update the affected products per the table below:
| Product Family | Updates Available |
| Stratix 5400 Industrial Ethernet Switches | Apply FRN 15.2(6)E2a or later (Download) |
| Stratix 5410 Industrial Distribution Switches | Apply FRN 15.2(6)E2a or later (Download) |
| Stratix 5700 Industrial Managed Ethernet Switches | Apply FRN 15.2(6)E2a or later (Download) |
| ArmorStratix 5700 Industrial Managed Ethernet Switches | Apply FRN 15.2(6)E2a or later (Download) |
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 04-April-2019 | 1.0 | Initial release |
