Rockwell Automation Stratix and ArmorStratix Switches Improper Input Validation (CVE-2018-0173)

high Tenable OT Security Plugin ID 501768

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software performs incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device, which the device would then forward to a DHCPv4 server. When the affected software processes the option 82 information that is encapsulated in the response from the server, an error could occur. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation recommends users upgrade to FRN 15.2(6)E1 or later. Updated software can be downloaded at:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?famID=15

Rockwell Automation has provided knowledge base article number 1073268 on their website at the following location to address these vulnerabilities:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073268/ (login required)

Rockwell Automation also recommends implementing the following mitigations in addition to upgrading the software version:

Cisco has released new Snort Rules at https://www.cisco.com/web/software/286271056/117258/sf-rules-2018-03-29-new.html to help address the following vulnerabilities:

- CVE-2018-0171 - Snort Rule 46096 and 46097
- CVE-2018-0156 - Snort Rule 41725
- CVE-2018-0174 - Snort Rule 46120
- CVE-2018-0172 - Snort Rule 46104
- CVE-2018-0173 - Snort Rule 46119
- CVE-2018-0158 - Snort Rule 46110

Cisco adds the following notes for the Smart Install vulnerabilities (CVE-2018-0171 and CVE-2018-0156):

- Smart Install is turned off by express setup; however, upgraded switches but not re-setup may have it enabled.
- Disable the Smart Install feature with the no vstack configuration command if it is not needed or once setup is complete.
- Users who do use the feature—and need to leave it enabled—can use ACLs to block incoming traffic on TCP port 4786.

CVE-2018-0167 and CVE-2018-0175 have no specific mitigations in place. See the following Cisco Vulnerability advisory for more details:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

Rockwell Automation also recommends users implement the following general security guidelines:

- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

See Also

http://www.nessus.org/u?ce3d1989

http://www.nessus.org/u?37660900

http://www.nessus.org/u?0baec066

http://www.nessus.org/u?a252fb13

https://www.cisa.gov/news-events/ics-advisories/icsa-18-107-04

https://www.cisa.gov/news-events/ics-advisories/icsa-18-107-05

Plugin Details

Severity: High

ID: 501768

Version: 1.7

Type: remote

Family: Tenable.ot

Published: 11/15/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2018-0173

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:rockwellautomation:allen-bradley_stratix_5700_industrial_managed_ethernet_switch, cpe:/h:rockwellautomation:allen-bradley_stratix_5400_industrial_managed_ethernet_switch, cpe:/h:rockwellautomation:allen-bradley_stratix_5410_industrial_managed_ethernet_switch, cpe:/h:rockwellautomation:allen-bradley_stratix_8300_industrial_managed_ethernet_switch, cpe:/h:rockwellautomation:allen-bradley_stratix_8000_industrial_managed_ethernet_switch

Required KB Items: Tenable.ot/Rockwell

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/28/2018

Vulnerability Publication Date: 3/28/2018

CISA Known Exploited Vulnerability Due Dates: 3/17/2022

Reference Information

CVE: CVE-2018-0173

CWE: 755

ICSA: 18-107-04, 18-107-05