CVE-2023-42770: Red Lion Controls Sixnet RTU Authentication Bypass Using An Alternative Path Or Channel
First published: Tue Nov 21 2023(Updated: )
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Red Lion Controls ST-IPM-6350 Firmware | =4.9.114 | |
| Red Lion Controls ST-IPM-6350 Firmware | ||
| All of | ||
| Red Lion Controls ST-IPM-8460 Firmware | =6.0.202 | |
| Redlioncontrols St-ipm-8460 Firmware | ||
| All of | ||
| Red Lion HMI Panel Firmware | =4.9.114 | |
| Red Lion VT-mIPm-135-D | ||
| All of | ||
| Red Lion Controls VT-MIPM-245-D | =4.9.114 | |
| Red Lion Controls VT-MIPM-245-D | ||
| All of | ||
| Red Lion VT-IPM2M-213-D | =4.9.114 | |
| Red Lion VT-IPM2M-213-D | ||
| All of | ||
| Red Lion Controls VT-IPM2M-113-D Firmware | =4.9.114 | |
| Red Lion Controls VT-IPM2M-113-D |
Remedy
Red Lion recommends users apply the latest patches https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05 to their products. Red Lion recommends users apply additional mitigations to help reduce the risk: * Enable user authentication, see Red Lion instructions https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU . Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored. To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz. * ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz. * ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz To Block all Sixnet UDR messages over TCP/IP: * Enable iptables rules to block TCP/IP traffic. * In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>"Ports" tab>Security. * Select the "Load the this file with each station load" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface. Remove these rules from the default rc.firewall file: * iptables -P INPUT DROP (Drops everything coming in) * iptables -P FORWARD DROP (Drops everything in FORWARD chain) Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands: * insmodip_tables (Initialization) * insmodiptable_filter (Initialization) * insmodip_conntrack (Initialization) * insmodiptable_nat (Initialization) * iptables -F INPUT (Flushes INPUT chain) * iptables -F OUTPUT (Flushes OUTPUT chain) * iptables -F FORWARD (Flushes FORWARD chain) * iptables -Z (Zero counters) * iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out) * iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594) For installation instructions see Red Lion's support page https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU . For more information, please refer to Red Lion’s security bulletin https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution .
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-42770?
CVE-2023-42770 is a vulnerability that allows an attacker to bypass authentication in Red Lion Controls Sixnet RTU devices using an alternative path or channel.
How does CVE-2023-42770 affect Red Lion Sixnet and VersaTRAK Series RTUs?
CVE-2023-42770 affects Red Lion Sixnet and VersaTRAK Series RTUs with authenticated users enabled (UDR-A).
What is the severity of CVE-2023-42770?
CVE-2023-42770 has a severity rating of critical.
How can I fix CVE-2023-42770?
To fix CVE-2023-42770, Red Lion Controls recommends upgrading to the latest firmware version provided in their advisory.
Where can I find more information about CVE-2023-42770?
You can find more information about CVE-2023-42770 in the advisory published by CISA and the support article from Red Lion Controls.
- agent/weakness
- agent/references
- agent/event
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/title
- agent/description
- agent/source
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- vendor/redlioncontrols
- canonical/red lion controls st-ipm-6350 firmware
- version/red lion controls st-ipm-6350 firmware/4.9.114
- canonical/red lion controls st-ipm-8460 firmware
- version/red lion controls st-ipm-8460 firmware/6.0.202
- canonical/redlioncontrols st-ipm-8460 firmware
- canonical/red lion hmi panel firmware
- version/red lion hmi panel firmware/4.9.114
- canonical/red lion vt-mipm-135-d
- canonical/red lion controls vt-mipm-245-d
- version/red lion controls vt-mipm-245-d/4.9.114
- canonical/red lion vt-ipm2m-213-d
- version/red lion vt-ipm2m-213-d/4.9.114
- canonical/red lion controls vt-ipm2m-113-d firmware
- version/red lion controls vt-ipm2m-113-d firmware/4.9.114
- canonical/red lion controls vt-ipm2m-113-d