First published: Mon Nov 06 2023(Updated: )
The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability.
Credit: ics-cert@hq.dhs.gov
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
Any of | ||
Redlion Crimson | <3.2 | |
Redlion Crimson | =3.2-build_3.2.0008.0 | |
Redlion Crimson | =3.2-build_3.2.0014.0 | |
Redlion Crimson | =3.2-build_3.2.0015.0 | |
Redlion Crimson | =3.2-build_3.2.0016.0 | |
Redlion Crimson | =3.2-build_3.2.0020.0 | |
Redlion Crimson | =3.2-build_3.2.0021.0 | |
Redlion Crimson | =3.2-build_3.2.0025.0 | |
Redlion Crimson | =3.2-build_3.2.0026.0 | |
Redlion Crimson | =3.2-build_3.2.0030.0 | |
Redlion Crimson | =3.2-build_3.2.0031.0 | |
Redlion Crimson | =3.2-build_3.2.0035.0 | |
Redlion Crimson | =3.2-build_3.2.0036.0 | |
Redlion Crimson | =3.2-build_3.2.0040.0 | |
Redlion Crimson | =3.2-build_3.2.0041.0 | |
Redlion Crimson | =3.2-build_3.2.0044.0 | |
Redlion Crimson | =3.2-build_3.2.0047.0 | |
Redlion Crimson | =3.2-build_3.2.0050.0 | |
Redlion Crimson | =3.2-build_3.2.0051.0 | |
Redlion Crimson | =3.2-build_3.2.0053.0 | |
Redlion Crimson | =3.2-build_3.2.0053.1 | |
Redlion Crimson | =3.2-build_3.2.0053.18 | |
Any of | ||
Redlion Da50a | ||
Redlion Da70a |
Red Lion recommends updating the Crimson configuration tool to version 3.2.0063 or later by using the automatic update feature or visiting the Red Lion website https://www.redlion.net/node/16883 . Any existing or new accounts created should refrain from using the percent (%) character in the configured password in versions 3.2.0053.18 or below. For more information refer to Red Lion's security advisory RLCSIM-2023-04 https://support.redlion.net/hc/en-us/categories/360002087671-Security-Advisories .
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-5719 is a vulnerability in Red Lion Crimson that allows users to define new passwords containing the percent (%) character, potentially causing invalid values and truncation issues.
CVE-2023-5719 has a severity value of 9.8, which is classified as critical.
Red Lion Crimson versions 3.2-build_3.2.0008.0 and later are affected by CVE-2023-5719.
To fix CVE-2023-5719, it is recommended to update Red Lion Crimson to the latest version available.
More information about CVE-2023-5719 can be found at the following references: [CISA Advisory](https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01), [Red Lion Support Advisories](https://support.redlion.net/hc/en-us/categories/360002087671-Security-Advisories).