Introduction
Description
Version 1.1 - November 2, 2017
Version 1.0 - March 23, 2017
Cisco Systems, Inc. ("Cisco") has reported that a vulnerability exists in the Cisco Cluster Management Protocol ("CMP") processing code in the Cisco IOS and Cisco IOS XE software. Allen‑Bradley® Stratix® and ArmorStratix™ products contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet and/or Distribution switches for real-time control and information sharing on a common network infrastructure.
This vulnerability is remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.
Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
All Versions 15.2(5)EA.fc4 and earlier
- Allen‑Bradley Stratix 5400 Industrial Ethernet Switches
- Allen‑Bradley Stratix 5410 Industrial Distribution Switches
- Allen‑Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
- Allen‑Bradley Stratix 8000 Modular Managed Ethernet Switches
All Versions 15.2(4a)EA5 and earlier
- Allen‑Bradley Stratix 8300 Modular Managed Ethernet Switches
VULNERABILITY DETAILS
The Cluster Management Protocol uses Telnet to internally signal and send commands. A remote, unauthorized attacker could send malformed CMP-specific Telnet messages to try and establish a Telnet session with one of the affected products. Incorrect processing of these messages can cause the device to reload, or, in certain cases, allow the attacker to execute arbitrary code with elevated privileges on the device. If a customer has Telnet disabled, the attack vector is eliminated. Currently, no publicly available exploit code exists for this vulnerability.
The original product security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
CVE-2017-3881 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
UPDATE: NOVEMBER 02, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.
Rockwell Automation recommends customers using affected products to consult the suggestions below and, when possible, employ multiple strategies to mitigate their risk.
| Product Family | Catalog Numbers | Affected Version | Suggested Actions |
| Stratix 8300 | 1783-RMS | 15.2(4)EA and earlier | - See Risk Mitigations below |
| Stratix 8000 | 1783-MS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5400 | 1783-HMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5410 | 1783-IMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5700 | 1783-BMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| ArmorStratix 5700 | 1783-ZMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
- Disabling the Telnet protocol as an allowed protocol for incoming connections on affected devices diminishes the network-based vector of attack. For information on how to disable Telnet via Command Line Interface, please see Knowledgebase Article ID 1040270.
- If a customer is unable or unwilling to disable Telnet, then implementing infrastructure access control lists (iACLs) can reduce the attack service. For information on how to implement iACLs, please see Knowledgebase Article ID 1040270.
- Cisco Talos, Cisco’s threat intelligence organization, has created two Snort rules (SIDs): 41909 and 41910 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.
GENERAL SECURITY GUIDELINES
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Utilize proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen‑Bradley® Stratix 5950 Industrial Network Security Appliance, which comprises Intrusion Prevention and Detection (IDS/IPS) services, and Deep Packet Inspection (DPI) of the Common Industrial Protocol (CIP), Rockwell Automation can now offer customers an intrusion detection system to provide visibility, in real-time, if a vulnerability is being exploited. The Stratix 5950 contains a rules engine called FirePOWER which can process rules created by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged (IDS) or blocked (IPS).
For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https:rockwellautomation.custhelp.comapp/answers/detail/a_id/54102, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
ADDITIONAL LINKS
- Security Advisory Index, Knowledgebase Article ID 54102.
- Industrial Firewalls within a CPwE Architecture White Paper: ENET-WP011B-EN-P
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide: ENET-TD002A-EN-P
REVISION HISTORY
| Date | Version | Details |
| 02-NOVEMBER-2017 | 1.1 | Patched FW Release |
| 24-MARCH-2017 | 1.0 | Initial Release |
