Rockwell Automation provided interim compensating controls for its Allen-Bradley Stratix and ArmorStratix switches to help reduce the risk of exploitation of an improper input validation vulnerability identified in the Cisco Cluster Management Protocol (CMP) processing code used in the Cisco IOS and Cisco IOS XE software, according to a report with ICS-CERT.
Successful exploitation of this remotely exploitable vulnerability, which ended up discovered by Rockwell Automation, may allow a remote attacker to impact the availability of the target device or to execute arbitrary code with elevated privileges.
The following versions of the Allen-Bradley Stratix and ArmorStratix Industrial Ethernet and Distribution switches suffer from the issue:
• Allen-Bradley Stratix 5400 Industrial Ethernet Switches, All Versions 15.2(5)EA.fc4 and earlier
• Allen-Bradley Stratix 5410 Industrial Distribution Switches, All Versions 15.2(5)EA.fc4 and earlier
• Allen-Bradley Stratix 5700 and ArmorStratix 5700 Industrial Managed Ethernet Switches, All Versions 15.2(5)EA.fc4 and earlier
• Allen-Bradley Stratix 8000 Modular Managed Industrial Ethernet Switches, All Versions 15.2(5)EA.fc4 and earlier
• Allen-Bradley Stratix 8300 Modular Managed Industrial Ethernet Switches, All Versions 15.2(4a)EA5 and earlier
An unauthorized remote attacker may be able to establish a Telnet session with a target device by sending malformed CMP-specific Telnet messages. Incorrect processing of these messages may cause the device to reload or to allow the attacker to execute arbitrary code with elevated privileges.
CVE-2017-3881 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
An attacker with low skill level would be able to leverage the vulnerability.
The products see use in the critical manufacturing, energy, and water and wastewater systems sectors. They also see action on a global basis.
Rockwell would like users to evaluate the compensating controls provided below and apply the applicable controls:
• Disable the Telnet protocol as an allowed protocol for incoming connections on affected devices to diminish the network-based vector of attack. For information on how to disable Telnet via Command Line Interface, see Knowledgebase Article ID 1040270.
• If a user is unable or unwilling to disable Telnet, then implementing infrastructure access control lists (iACLs) can reduce the attack service. For information on how to implement iACLs, see Knowledgebase Article ID 1040270.
• Cisco created two Snort rules (SIDs), 41909 and 41910, to detect exploits associated with this vulnerability.
Click here for Rockwell Automation’s security advisory, Stratix CMP Remote Code Execution Vulnerability.
Click here for Cisco’s security advisory, Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability.