Multiple vulnerabilities in Rockwell Automation Allen-Bradley Stratix 8300 Industrial Managed Ethernet Switches

1) Buffer overflow

EUVDB-ID: #VU11336

Risk: High

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-0171

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: Yes

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists in the Smart Install feature due to improper validation of packet data. A remote attacker can trigger buffer overflow, cause the service to crash and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Rockwell Automation recommends that users implement the following general security guidelines: - Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet. - Locate control system networks and devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vulnerable software versions

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches: 15.2(4)EA - 15.2(4a)EA5

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-107-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Improper input validation

EUVDB-ID: #VU11337

Risk: Medium

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-0156

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Smart Install feature due to improper validation of packet data. A remote attacker can send a specially crafted packet to an affected device on TCP port 4786 and cause the service to crash.

Mitigation

Rockwell Automation recommends that users implement the following general security guidelines: - Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet. - Locate control system networks and devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vulnerable software versions

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches: 15.2(4)EA - 15.2(4a)EA5

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-107-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

3) Error handling

EUVDB-ID: #VU11368

Risk: Medium

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-0155

CWE-ID: CWE-388 - Error Handling

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches due to insufficient error handling when the BFD header in a BFD packet is incomplete. A remote attacker can send a specially crafted BFD message to or across an affected switch and cause the service to crash.

Mitigation

Rockwell Automation recommends that users implement the following general security guidelines: - Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet. - Locate control system networks and devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vulnerable software versions

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches: 15.2(4)EA - 15.2(4a)EA5

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-107-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

4) Improper input validation

EUVDB-ID: #VU11361

Risk: Medium

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-0174

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the DHCP option 82 encapsulation functionality due to incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. A remote attacker can send a specially crafted DHCPv4 packet and cause the service to crash.

Mitigation

Rockwell Automation recommends that users implement the following general security guidelines: - Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet. - Locate control system networks and devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vulnerable software versions

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches: 15.2(4)EA - 15.2(4a)EA5

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-107-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

5) Heap-based buffer overflow

EUVDB-ID: #VU11363

Risk: Medium

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-0172

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the DHCP option 82 encapsulation functionality due to incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. A remote attacker can send a specially crafted DHCPv4 packet, trigger heap overflow and cause the service to crash.

Mitigation

Rockwell Automation recommends that users implement the following general security guidelines: - Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet. - Locate control system networks and devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vulnerable software versions

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches: 15.2(4)EA - 15.2(4a)EA5

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-107-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

6) Improper input validation

EUVDB-ID: #VU11362

Risk: Medium

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-0173

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets due to incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. A remote attacker can send a specially crafted DHCPv4 packet and cause the service to crash.

Mitigation

Rockwell Automation recommends that users implement the following general security guidelines: - Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet. - Locate control system networks and devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vulnerable software versions

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches: 15.2(4)EA - 15.2(4a)EA5

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-107-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

7) Buffer overflow

EUVDB-ID: #VU11351

Risk: Low

CVSSv3.1: 9.2 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-0167

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows an adjacent unauthenticated attacker to cause DoS condition or execute arbitrary code with elevated privileges on the target system.

The weakness exists in the LLDP subsystem due to improper error handling of malformed LLDP messages. An adjacent attacker can submit a specially crafted LLDP protocol data unit (PDU), trigger buffer overflow, cause the service to crash or execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Rockwell Automation recommends that users implement the following general security guidelines: - Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet. - Locate control system networks and devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vulnerable software versions

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches: 15.2(4)EA - 15.2(4a)EA5

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-107-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

8) Memory corruption

EUVDB-ID: #VU11352

Risk: Low

CVSSv3.1: 9.2 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-0175

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows an adjacent unauthenticated attacker to cause DoS condition or execute arbitrary code with elevated privileges on the target system.

The weakness exists in the LLDP subsystem due to improper handling of certain fields in an LLDP message. An adjacent attacker can submit a specially crafted LLDP PDU, trick the victim into executing a specific show command in the CLI, trigger memory corruption, cause the service to crash or execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Rockwell Automation recommends that users implement the following general security guidelines: - Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet. - Locate control system networks and devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Vulnerable software versions

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches: 15.2(4)EA - 15.2(4a)EA5

External links

http://ics-cert.us-cert.gov/advisories/ICSA-18-107-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.