Advisory ID:
PN1534
Published Date:
October 30, 2020
Last Updated:
October 30, 2020
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Summary
Stratix 5700 HTTP Session Management Weakness
Revision History
Revision Number
1.0
Revision History
Version 1.0 - October 30, 2020. Initial Release.
Executive Summary
Rockwell Automation’s PSIRT received a report from Amazon regarding a weakness on the Stratix 5700 switch. This weakness is a result of HTTP session management not being a feature of classic Cisco IOS. This may result in unauthenticated access to the web interface if an attacker gains access to the authenticated user’s computer after the “Logout” button has been selected. Rockwell Automation’s PSIRT has collaborated with the Cisco PSIRT to inform customers of this weakness. While this button’s function may lead the user to believe the session is being cleared, the product specifications do not advertise HTTP session management as a function. Both PSIRTs, to be transparent, see the importance of sharing this issue along with potential mitigation options.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Affected Products
Allen‑Bradley Stratix 5700 Industrial Managed Ethernet Switches –
- All Cisco IOS releases (with the exception of those which incorporate the new HTTP session management feature added through Cisco BugID CSCvo20762) lack HTTP and HTTPS session management capabilities.
Details
On the Stratix 5700 Industrial Managed Ethernet switch running Cisco IOS , because no session management is performed for HTTP or HTTP sessions, the only way to close and terminate an active HTTP or HTTPS management session is to close the web browser used for this session after the user is done. Closing the active tab or active window is not enough - the browser instance must be terminated.
If the browser instance has not been terminated, an actor with local access to the machine from which the session was established may be able to restart the management session without being prompted for any credentials, which would result in this actor having the same kind of access to the device as the user on the previous session.
Risk Mitigation & User Action
As of 26-OCT-2020, the following releases incorporate the new HTTP session management code: 15.9(3)M2, 15.9(3)M2a and 15.2(7)E3. Going forward, it is the intention of Cisco for this HTTP session management feature to be implemented in all future Cisco IOS classic releases.
If HTTP session management is desired while running a release which does not support the enhancement, Cisco IOS customers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Completing the following precautionary measure is recommended as a risk mitigation strategy against unauthenticated attackers.
If HTTP session management is desired while running a release which does not support the enhancement, Cisco IOS customers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Completing the following precautionary measure is recommended as a risk mitigation strategy against unauthenticated attackers.
- Terminate the browser when finished – closing the tab or window is NOT enough
General Security Guidelines
Software/PC-based Mitigation Strategies
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
Copyright ©2022 Rockwell Automation, Inc.