{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2023-40151", "ASSIGNER": "ics-cert@hq.dhs.gov", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "\n\n\nWhen user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.\n\n\n\n" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-749 Exposed Dangerous Method Or Function", "cweId": "CWE-749" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Red Lion Controls", "product": { "product_data": [ { "product_name": "ST-IPm-8460", "version": { "version_data": [ { "version_affected": "=", "version_value": "6.0.202" } ] } }, { "product_name": "ST-IPm-6350", "version": { "version_data": [ { "version_affected": "=", "version_value": "4.9.114" } ] } }, { "product_name": "VT-mIPm-135-D", "version": { "version_data": [ { "version_affected": "=", "version_value": "4.9.114" } ] } }, { "product_name": "VT-mIPm-245-D", "version": { "version_data": [ { "version_affected": "=", "version_value": "4.9.114" } ] } }, { "product_name": "VT-IPm2m-213-D", "version": { "version_data": [ { "version_affected": "=", "version_value": "4.9.114" } ] } }, { "product_name": "VT-IPm2m-113-D", "version": { "version_data": [ { "version_affected": "=", "version_value": "4.9.114" } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01", "refsource": "MISC", "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01" }, { "url": "https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution", "refsource": "MISC", "name": "https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution" } ] }, "generator": { "engine": "Vulnogram 0.1.0-dev" }, "source": { "advisory": "ICSA-23-320-01", "discovery": "EXTERNAL" }, "solution": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n

Red Lion recommends users apply the latest patches to their products.

Red Lion recommends users apply additional mitigations to help reduce the risk:

Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.

To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.

To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.

To Block all Sixnet UDR messages over TCP/IP:

Remove these rules from the default rc.firewall file:

Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:

For installation instructions see Red Lion's support page.

For more information, please refer to Red Lion\u2019s security bulletin.

\n\n
" } ], "value": "\nRed Lion recommends users apply the latest patches https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05 \u00a0to their products.\n\nRed Lion recommends users apply additional mitigations to help reduce the risk:\n\n * Enable user authentication, see Red Lion instructions https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU .\n\n\nBlocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.\n\nTo block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.\n\n * ST-IPm-8460 \u2013 Install 8313_patch1_tcp_udr_all_blocked.tar.gz\n * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch1_tcp_udr_all_blocked.tar.gz\n\n\nTo block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.\n\n * ST-IPm-8460 \u2013 Install 8313_patch2_io_open.tar.gz\n * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch2_io_open.tar.gz\n\n\nTo Block all Sixnet UDR messages over TCP/IP:\n\n * Enable iptables rules to block TCP/IP traffic.\n * In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>\"Ports\" tab>Security.\n * Select the \"Load the this file with each station load\" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.\n\n\nRemove these rules from the default rc.firewall file:\n\n * iptables -P INPUT DROP (Drops everything coming in)\n * iptables -P FORWARD DROP (Drops everything in FORWARD chain)\n\n\nAdd one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:\n\n * insmodip_tables (Initialization)\n * insmodiptable_filter (Initialization)\n * insmodip_conntrack (Initialization)\n * insmodiptable_nat (Initialization)\n * iptables -F INPUT (Flushes INPUT chain)\n * iptables -F OUTPUT (Flushes OUTPUT chain)\n * iptables -F FORWARD (Flushes FORWARD chain)\n * iptables -Z (Zero counters)\n * iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)\n * iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)\n\n\nFor installation instructions see Red Lion's support page https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU .\n\nFor more information, please refer to Red Lion\u2019s security bulletin https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution .\n\n\n\n\n" } ], "credits": [ { "lang": "en", "value": "Nitsan Litov of Claroty Research - Team82 reported these vulnerabilities to CISA." } ], "impact": { "cvss": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } ] } }