Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
0
Helpful
3
Replies

IE2000/IE3000/IE4000 Question: ACLs for ProfiNet or Ethernet/IP CIP (Control Plane)

BrianSekleckiGE
Level 1
Level 1

‎05-07-2021 01:33 AM

All:

 

Give the recent security advisories on the IE3000/IE4000/IE2000: 

 

  One might ask:  When can we expect to see an IP/Ethernet(MAC) ACL available to restrict communications with the CIP / EthernetIP and/or ProfiNet functions (which run on the control plane)?

 

There isn't always a stateful firewall between untrusted clients and Switch management SVIs/BVIs.  This would be a prudent feature addition into today's security landscape?


~BAS

Labels:
0 Helpful
3 Replies 3

Albert Mitchell
Cisco Employee
Cisco Employee

‎05-11-2021 05:48 PM

Brian,

i don't fully understand the request.

you're asking about security on the Control Plane for Industrial Protocols, and not the data plane?   where control plane for an Ethernet Switch is traffic that terminates or originates from the CPU on the Switch. 

Profinet & CIP are just data to an IE switch. 

 

If you want to use security ACLs on an Ethernet interface to impact the forwarding of Industrial Protocols between interfaces on an IE switch you can do that today.

0 Helpful

BrianSekleckiGE
Level 1
Level 1
In response to Albert Mitchell

‎05-12-2021 05:15 AM

The recent vulnerabilities / CVEs appear to affect the Control Plane implantation of CIP (Where CIP/EthernetIP tags in a Rockwell environment are enumerated from Cisco IOS[-XE] internal data structures)

 

Reference:

https://www.securityweek.com/rockwell-industrial-switches-affected-more-vulnerabilities-cisco-software

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170201-psc1

 

https://www.cvedetails.com/cve/CVE-2017-3812/

 

 

0 Helpful

Albert Mitchell
Cisco Employee
Cisco Employee
In response to BrianSekleckiGE

‎05-12-2021 01:30 PM

Brian,

back to your original question.  CIP and/or Profinet protocols are on the IE switches are used to manage the switch as part of a larger solution.  if the IE switch is deployed in a network using CIP, then it may be desirable for a CIP mgmt application (eg: Studio5000), to manage the IE Switch.  same with Profinet.

Meaning, there's no point in an ACL to block CIP or Profinet on the Control plane when you want them to manage the switch.

when the IE switch is deployed in a scenario not using CIP or Profinet, or you do not want CIP or Profinet protocol to have access to the Switches control plane, then disable those features on the Switch.  with those features disabled, the mgmt plane vulnerabilities are not exposed. when CIP is disabled, then the security password is not exposed.  there is no security password to view. 

 

if do need to use CIP or profinet and want prevent the documented exposure, then you'll need to update the SW Version. 

1.  "CSCvu58224 Privilege escalation from 1 to 15 using CIP",   this has been fixed in the most recent releases.   17.3.3, 17.4.1 and 17.5.1 have a fix.    if you cannot update IOS-XE SW versions then remove users with ReadOnly privileges, which is what Priv level 1 means.

2. CIP denial of Service was found to occur in IE2000/IE3000.  its been fixed in 15.2.7 and later releases.

 

i may not have covered all the issues.  I hope you get the point.  if you're still confused just reply.  i'll look for it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents