{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40151", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-09-18T22:41:48.086Z", "datePublished": "2023-11-21T00:11:10.081Z", "dateUpdated": "2024-08-02T18:24:55.459Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ST-IPm-8460", "vendor": "Red Lion Controls", "versions": [{"status": "affected", "version": "6.0.202"}]}, {"defaultStatus": "unaffected", "product": "ST-IPm-6350", "vendor": "Red Lion Controls", "versions": [{"status": "affected", "version": "4.9.114"}]}, {"defaultStatus": "unaffected", "product": "VT-mIPm-135-D", "vendor": "Red Lion Controls", "versions": [{"status": "affected", "version": "4.9.114"}]}, {"defaultStatus": "unaffected", "product": "VT-mIPm-245-D", "vendor": "Red Lion Controls", "versions": [{"status": "affected", "version": "4.9.114"}]}, {"defaultStatus": "unaffected", "product": "VT-IPm2m-213-D", "vendor": "Red Lion Controls", "versions": [{"status": "affected", "version": "4.9.114"}]}, {"defaultStatus": "unaffected", "product": "VT-IPm2m-113-D", "vendor": "Red Lion Controls", "versions": [{"status": "affected", "version": "4.9.114"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Nitsan Litov of Claroty Research - Team82 reported these vulnerabilities to CISA."}], "datePublic": "2023-11-16T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.</span>\n\n</span>\n\n"}], "value": "\n\n\nWhen user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-749", "description": "CWE-749  Exposed Dangerous Method Or Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-11-21T00:11:10.081Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01"}, {"url": "https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>Red Lion recommends users apply the <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05\">latest patches</a>&nbsp;to their products.</p><p>Red Lion recommends users apply additional mitigations to help reduce the risk:</p><ul><li>Enable user authentication, see <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU\">Red Lion instructions</a>.</li></ul><p>Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.</p><p>To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.</p><ul><li>ST-IPm-8460 \u2013 Install 8313_patch1_tcp_udr_all_blocked.tar.gz</li><li>ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch1_tcp_udr_all_blocked.tar.gz</li></ul><p>To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.</p><ul><li>ST-IPm-8460 \u2013 Install 8313_patch2_io_open.tar.gz</li><li>ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch2_io_open.tar.gz</li></ul><p>To Block all Sixnet UDR messages over TCP/IP:</p><ul><li>Enable iptables rules to block TCP/IP traffic.</li><li>In the Sixnet I/O Tool Kit go to Configuration&gt;Configuration Station/Module&gt;\"Ports\" tab&gt;Security.</li><li>Select the \"Load the this file with each station load\" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.</li></ul><p>Remove these rules from the default rc.firewall file:</p><ul><li>iptables -P INPUT DROP (Drops everything coming in)</li><li>iptables -P FORWARD DROP (Drops everything in FORWARD chain)</li></ul><p>Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:</p><ul><li>insmodip_tables (Initialization)</li><li>insmodiptable_filter (Initialization)</li><li>insmodip_conntrack (Initialization)</li><li>insmodiptable_nat (Initialization)</li><li>iptables -F INPUT (Flushes INPUT chain)</li><li>iptables -F OUTPUT (Flushes OUTPUT chain)</li><li>iptables -F FORWARD (Flushes FORWARD chain)</li><li>iptables -Z (Zero counters)</li><li>iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)</li><li>iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)</li></ul><p>For installation instructions see <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU\">Red Lion's support page</a>.</p><p>For more information, please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution\">Red Lion\u2019s security bulletin</a>.</p>\n\n<br>"}], "value": "\nRed Lion recommends users apply the  latest patches https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05 \u00a0to their products.\n\nRed Lion recommends users apply additional mitigations to help reduce the risk:\n\n  *  Enable user authentication, see  Red Lion instructions https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU .\n\n\nBlocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.\n\nTo block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.\n\n  *  ST-IPm-8460 \u2013 Install 8313_patch1_tcp_udr_all_blocked.tar.gz\n  *  ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch1_tcp_udr_all_blocked.tar.gz\n\n\nTo block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.\n\n  *  ST-IPm-8460 \u2013 Install 8313_patch2_io_open.tar.gz\n  *  ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch2_io_open.tar.gz\n\n\nTo Block all Sixnet UDR messages over TCP/IP:\n\n  *  Enable iptables rules to block TCP/IP traffic.\n  *  In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>\"Ports\" tab>Security.\n  *  Select the \"Load the this file with each station load\" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.\n\n\nRemove these rules from the default rc.firewall file:\n\n  *  iptables -P INPUT DROP (Drops everything coming in)\n  *  iptables -P FORWARD DROP (Drops everything in FORWARD chain)\n\n\nAdd one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:\n\n  *  insmodip_tables (Initialization)\n  *  insmodiptable_filter (Initialization)\n  *  insmodip_conntrack (Initialization)\n  *  insmodiptable_nat (Initialization)\n  *  iptables -F INPUT (Flushes INPUT chain)\n  *  iptables -F OUTPUT (Flushes OUTPUT chain)\n  *  iptables -F FORWARD (Flushes FORWARD chain)\n  *  iptables -Z (Zero counters)\n  *  iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)\n  *  iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)\n\n\nFor installation instructions see  Red Lion's support page https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU .\n\nFor more information, please refer to  Red Lion\u2019s security bulletin https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution .\n\n\n\n\n"}], "source": {"advisory": "ICSA-23-320-01", "discovery": "EXTERNAL"}, "title": "Red Lion Controls Sixnet RTU Exposed Dangerous Method Or Function", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:55.459Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01", "tags": ["x_transferred"]}, {"url": "https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redlioncontrols:st-ipm-6350_firmware:4.9.114:*:*:*:*:*:*:*", "matchCriteriaId": "685CF00F-7FEC-4DC9-BBAF-4B83A51ABB53", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:redlioncontrols:st-ipm-6350:-:*:*:*:*:*:*:*", "matchCriteriaId": "FAB3B611-15F5-4921-A8C8-89B0D0A00AA2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redlioncontrols:st-ipm-8460_firmware:6.0.202:*:*:*:*:*:*:*", "matchCriteriaId": "491A31DC-903F-467B-815E-0AC7FA349147", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:redlioncontrols:st-ipm-8460:-:*:*:*:*:*:*:*", "matchCriteriaId": "5CAC9FF0-38FA-4C34-8082-C592CB02F0AC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redlioncontrols:vt-mipm-135-d_firmware:4.9.114:*:*:*:*:*:*:*", "matchCriteriaId": "618F8D7E-6154-461F-BBCF-A69BFDE5CA5E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:redlioncontrols:vt-mipm-135-d:-:*:*:*:*:*:*:*", "matchCriteriaId": "6BEFDF88-C073-4336-AD11-7707260A105E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redlioncontrols:vt-mipm-245-d_firmware:4.9.114:*:*:*:*:*:*:*", "matchCriteriaId": "2473CC87-6ADB-4159-AA7C-4112C913678C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:redlioncontrols:vt-mipm-245-d:-:*:*:*:*:*:*:*", "matchCriteriaId": "4E26FEC2-6332-4F68-8FF5-3A941E91A105", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redlioncontrols:vt-ipm2m-213-d_firmware:4.9.114:*:*:*:*:*:*:*", "matchCriteriaId": "1FF18734-7D47-4DC5-A0C2-4F39298EFF26", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:redlioncontrols:vt-ipm2m-213-d:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C184211-9CF8-499B-B8D4-EBC58134FF6F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redlioncontrols:vt-ipm2m-113-d_firmware:4.9.114:*:*:*:*:*:*:*", "matchCriteriaId": "7A231928-AF55-4697-B0A3-C92ECEAF523B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:redlioncontrols:vt-ipm2m-113-d:-:*:*:*:*:*:*:*", "matchCriteriaId": "D2F4E6FF-1358-4105-AEEC-C7AD34D00EA6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\n\n\nWhen user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.\n\n\n\n"}, {"lang": "es", "value": "Cuando la autenticaci\u00f3n de usuario no est\u00e1 habilitada, el shell puede ejecutar comandos con los privilegios m\u00e1s altos. Red Lion SixTRAK y VersaTRAK Series RTU con usuarios autenticados habilitados (UDR-A), cualquier mensaje Sixnet UDR enfrentar\u00e1 un desaf\u00edo de autenticaci\u00f3n a trav\u00e9s de UDP/IP. Cuando llega el mismo mensaje a trav\u00e9s de TCP/IP, la RTU simplemente aceptar\u00e1 el mensaje sin desaf\u00edo de autenticaci\u00f3n."}], "id": "CVE-2023-40151", "lastModified": "2024-11-21T08:18:52.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-21T00:15:06.953", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}