PN758 | Stratix 5700, 8000 and 8300 Weak Password Vulnerability

Introduction

Description

April 2, 2013 - version 1.0

Rockwell Automation has become aware of a weak password protection implementation affecting Allen‑Bradley brand Stratix™ managed Ethernet switch firmware. This weakness affects Stratix 5700, 8000 and 8300 managed switches products that contain particular versions of IOS® firmware that employ a Type 4 (SHA256) cryptographic password hash algorithm.

Due to an implementation issue in affected IOS versions, a user-provided password that has been hashed using the IOS Type 4 algorithm implementation is less resilient to brute-force attacks than a Type 5 hashed password of equivalent complexity. Successful exploitation of this weakness can lead to unauthorized access to the product.

To date, we are not aware of any known cases of successful exploitation of this vulnerability in Stratix 5700, 8000 or 8300 products. Furthermore, we are not aware of publicly available proof of concept exploit code.

AFFECTED PRODUCTS
The following Stratix managed Ethernet switches are affected:

1. Stratix 5700 firmware release 15.0(1)EY1. This firmware ships on all Stratix 5700 catalog items.
   
2. Stratix 8000 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8000. It would reside on a Stratix 8000 only after the product’s initial shipment and only if intentionally downloaded to the hardware.
   
3. Stratix 8300 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8300. It would reside on a Stratix 8300 only after the product’s initial shipment and only if intentionally downloaded to the hardware.

To determine if a Stratix 8000 or Stratix 8300 is using the above firmware, you can reference the software field located on the dashboard of Device Manager or the IOS Release field on the switch status tab located in the RSLogix 5000 Stratix Add on Profile.

RISK MITIGATION
For details and recommended action to mitigate this security vulnerability in products that contain the affected IOS, go to the following Cisco web site.

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Where feasible, use a unique and complex password for products so as to help reduce the risk that multiple products could be compromised as a result of a single password becoming learned.
   
2. Where feasible, adopt password management practices to periodically change product passwords to help mitigate risk for passwords to remain usable for an extended period of time.
   
3. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
   
4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
   
5. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status