First published: Tue Nov 21 2023(Updated: )
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
Credit: ics-cert@hq.dhs.gov
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
Redlioncontrols St-ipm-6350 Firmware | =4.9.114 | |
Redlioncontrols St-ipm-6350 | ||
All of | ||
Redlioncontrols St-ipm-8460 Firmware | =6.0.202 | |
Redlioncontrols St-ipm-8460 | ||
All of | ||
Redlioncontrols Vt-mipm-135-d Firmware | =4.9.114 | |
Redlioncontrols Vt-mipm-135-d | ||
All of | ||
Redlioncontrols Vt-mipm-245-d Firmware | =4.9.114 | |
Redlioncontrols Vt-mipm-245-d | ||
All of | ||
Redlioncontrols Vt-ipm2m-213-d Firmware | =4.9.114 | |
Redlioncontrols Vt-ipm2m-213-d | ||
All of | ||
Redlioncontrols Vt-ipm2m-113-d Firmware | =4.9.114 | |
Redlioncontrols Vt-ipm2m-113-d |
Red Lion recommends users apply the latest patches https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05 to their products. Red Lion recommends users apply additional mitigations to help reduce the risk: * Enable user authentication, see Red Lion instructions https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU . Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored. To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz. * ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz. * ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz To Block all Sixnet UDR messages over TCP/IP: * Enable iptables rules to block TCP/IP traffic. * In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>"Ports" tab>Security. * Select the "Load the this file with each station load" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface. Remove these rules from the default rc.firewall file: * iptables -P INPUT DROP (Drops everything coming in) * iptables -P FORWARD DROP (Drops everything in FORWARD chain) Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands: * insmodip_tables (Initialization) * insmodiptable_filter (Initialization) * insmodip_conntrack (Initialization) * insmodiptable_nat (Initialization) * iptables -F INPUT (Flushes INPUT chain) * iptables -F OUTPUT (Flushes OUTPUT chain) * iptables -F FORWARD (Flushes FORWARD chain) * iptables -Z (Zero counters) * iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out) * iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594) For installation instructions see Red Lion's support page https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU . For more information, please refer to Red Lion’s security bulletin https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution .
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-42770 is a vulnerability that allows an attacker to bypass authentication in Red Lion Controls Sixnet RTU devices using an alternative path or channel.
CVE-2023-42770 affects Red Lion Sixnet and VersaTRAK Series RTUs with authenticated users enabled (UDR-A).
CVE-2023-42770 has a severity rating of critical.
To fix CVE-2023-42770, Red Lion Controls recommends upgrading to the latest firmware version provided in their advisory.
You can find more information about CVE-2023-42770 in the advisory published by CISA and the support article from Red Lion Controls.