Rockwell Automation has guidance available to handle an unprotected alternate channel vulnerability in its Stratix 5800 and Stratix 5200 that has known public exploits, according to a report with CISA.

Successful exploitation of this remotely exploitable vulnerability, which Rockwell self-reported, could allow an unauthenticated attacker to take control of the affected system.

The following versions of Stratix products and the contained Cisco IOS software suffer from the vulnerability:

  • Stratix 5800 (running Cisco IOS XE Software with the Web UI feature enabled): All versions
  • Stratix 5200 (running Cisco IOS XE Software with the Web UI feature enabled): All versions

Rockwell is aware of active exploitation of a previously unknown vulnerability in the web user interface feature of Cisco IOS XE Software when exposed to the Internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

Schneider Bold

CVE-2023-20198 is the case number for the vulnerability, which has a CVSS v3 base score of 10.

The product sees use in the critical manufacturing sector, and on a global basis.

An attacker could leverage this low complexity vulnerability.

  • Rockwell encourages users to follow guidance disabling Stratix HTTP servers on all Internet-facing systems:
  • To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
  • When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.
  • Cisco Talos has provided Indicators of Compromise and Snort rules

Pin It on Pinterest

Share This