Loading

PN962 | Stratix CMP Remote Code Execution Vulnerability

Severity:
Critical
Advisory ID:
PN962
公開日:
November 02, 2017
最終更新日:
November 02, 2017
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
いいえ
Corrected:
いいえ
Workaround:
いいえ
CVE IDs
CVE-2017-3881
概要
Stratix CMP Remote Code Execution Vulnerability

Introduction

Stratix CMP Remote Code Execution Vulnerability

Description

Version 1.1 - November 2, 2017
Version 1.0 - March 23, 2017

Cisco Systems, Inc. ("Cisco") has reported that a vulnerability exists in the Cisco Cluster Management Protocol ("CMP") processing code in the Cisco IOS and Cisco IOS XE software. Allen-Bradley® Stratix® and ArmorStratix™ products contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet and/or Distribution switches for real-time control and information sharing on a common network infrastructure.

This vulnerability is remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

All Versions 15.2(5)EA.fc4 and earlier

  • Allen-Bradley Stratix 5400 Industrial Ethernet Switches
  • Allen-Bradley Stratix 5410 Industrial Distribution Switches
  • Allen-Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
  • Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches

All Versions 15.2(4a)EA5 and earlier

  • Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches

VULNERABILITY DETAILS

The Cluster Management Protocol uses Telnet to internally signal and send commands. A remote, unauthorized attacker could send malformed CMP-specific Telnet messages to try and establish a Telnet session with one of the affected products. Incorrect processing of these messages can cause the device to reload, or, in certain cases, allow the attacker to execute arbitrary code with elevated privileges on the device. If a customer has Telnet disabled, the attack vector is eliminated. Currently, no publicly available exploit code exists for this vulnerability.

The original product security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

CVE-2017-3881 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

UPDATE: NOVEMBER 02, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.

Rockwell Automation recommends customers using affected products to consult the suggestions below and, when possible, employ multiple strategies to mitigate their risk.

Product Family Catalog Numbers Affected Version Suggested Actions
Stratix 8300 1783-RMS 15.2(4)EA and earlier - See Risk Mitigations below
Stratix 8000 1783-MS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5400 1783-HMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5410 1783-IMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5700 1783-BMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
ArmorStratix 5700 1783-ZMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
  1. Disabling the Telnet protocol as an allowed protocol for incoming connections on affected devices diminishes the network-based vector of attack. For information on how to disable Telnet via Command Line Interface, please see Knowledgebase Article ID 1040270.
  2. If a customer is unable or unwilling to disable Telnet, then implementing infrastructure access control lists (iACLs) can reduce the attack service. For information on how to implement iACLs, please see Knowledgebase Article ID 1040270.
  3. Cisco Talos, Cisco’s threat intelligence organization, has created two Snort rules (SIDs): 41909 and 41910 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.

GENERAL SECURITY GUIDELINES

  1. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  2. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  3. Utilize proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance, which comprises Intrusion Prevention and Detection (IDS/IPS) services, and Deep Packet Inspection (DPI) of the Common Industrial Protocol (CIP), Rockwell Automation can now offer customers an intrusion detection system to provide visibility, in real-time, if a vulnerability is being exploited. The Stratix 5950 contains a rules engine called FirePOWER which can process rules created by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged (IDS) or blocked (IPS).

For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https:rockwellautomation.custhelp.comapp/answers/detail/a_id/54102, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

  • Security Advisory Index, Knowledgebase Article ID 54102.
  • Industrial Firewalls within a CPwE Architecture White Paper: ENET-WP011B-EN-P
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide: ENET-TD002A-EN-P

REVISION HISTORY

Date Version Details
02-NOVEMBER-2017 1.1 Patched FW Release
24-MARCH-2017 1.0 Initial Release

KCS Status

Released

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left ロックウェル・オートメーションのホーム
  2. Chevron LeftChevron Left Trust & Security
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
を続行するには、クッキーの設定を更新してください.
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • ソーシャルメディア・クッキー
  • 機能性クッキー
  • パフォーマンスクッキー
  • マーケティングクッキー
  • 全てのクッキー
いつでも設定を更新することができます。詳しくは{0}をご覧ください プライバシーポリシー
CloseClose