Cisco IOS vulnerabilities open Rockwell Industrial Switches to attacks

Vulnerabilities in Cisco IOS expose Rockwell Allen-Bradley Stratix and ArmorStratix industrial Ethernet switches to remote attacks.

Some models of the Allen-Bradley Stratix and ArmorStratix industrial Ethernet switches are exposed to remote attacks due to security flaws in Cisco’s IOS software.

According to the security alert issued by ICS-CERT, an authenticated remote attacker can exploit the flaws to execute code on an affected system or to trigger a DoS condition and consequent reload of the device.

“Successful exploitation of these vulnerabilities could allow an authenticated, remote attacker to execute code on an affected system or cause an affected system to crash and reload.” states the ICS-CERT.

Critical Infrastructure of any sectors worldwide is impacted, including Critical Manufacturing, Energy, and Water and Wastewater Systems.

Critical infrastructure relies on Cisco’s IOS software for secure integration with enterprise networks, this implies that Cisco IOS flaws can also affect Rockwell Automation products.

Rockwell Automation promptly informed customers of the high severity vulnerabilities in Cisco IOS and IOS XE. Nine flaws affect the versions 1, 2c and 3 of Simple Network Management Protocol (SNMP) subsystem.

The tech giant publicly disclosed the vulnerability on June 29 and provided workarounds, not it is notifying customers about the availability of security patches.

The nine issues, that have been tracked with codes from CVE-2017-6736 to CVE-2017-6744, were all patched by the company. All the flaws could be exploited by a remote unauthenticated attacker by sending specially crafted SNMP packets, resulting in arbitrary code execution or causing the system to reload.

“The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities.” states the advisory published by CISCO in June.

As reported by the advisory, an authenticated attacker who knows the SNMP read-only community string of a target system could remotely execute code or cause the device to reload by sending a specially crafted SNMP packet via IPv4 or IPv6.

The attack is very dangerous because hackers could obtain full control of vulnerable devices and the worst news is that CISCO warned customers that attackers in the wild know about the vulnerabilities and can exploit them in any moment.

“A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload,” Cisco said in its advisory.

The security holes can be exploited by sending a specially crafted SNMP packet via IPv4 or IPv6.

“To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system,” Cisco said in its advisory.

Cisco found no evidence of cyber attack leveraging the flaws, but it confirmed people outside the company also was aware of their existence.

The flaws affect Allen-Bradley Stratix 5400, 5410, 5700 and 8000 models running version 15.2(5)EA.fc4 and earlier of the firmware, Stratix 5900 version 15.6(3)M1 and earlier, Stratix 8300 version 15.2(4)EA and earlier, and ArmorStratix 5700 version 15.2(5)EA.fc4 and earlier.

The vulnerabilities have been fixed in version 15.2(4a)EA5 for Stratix 8300 devices.

Waiting for security updates, Rockwell urges customers to disable specific management information bases (MIBs), use strong SNMP credentials, prevent unauthorized SNMP requests with firewall and other security appliances.

Rockwell customers can use Snort rules provided by Cisco to detect exploits.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cisco IOS Software, Rockwell Industrial Switches )

[adrotate banner=”13″]