{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2023-42770",
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "\nRed Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.\n\n"
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-288 Authentication Bypass Using An Alternative Path Or Channel",
                        "cweId": "CWE-288"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Red Lion Controls",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "ST-IPm-8460",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "6.0.202"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "ST-IPm-6350",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "4.9.114"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "VT-mIPm-135-D",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "4.9.114"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "VT-mIPm-245-D",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "4.9.114"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "VT-IPm2m-213-D",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "4.9.114"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "VT-IPm2m-113-D",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "4.9.114"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01",
                "refsource": "MISC",
                "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01"
            },
            {
                "url": "https://https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution",
                "refsource": "MISC",
                "name": "https://https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution"
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.1.0-dev"
    },
    "source": {
        "advisory": "ICSA-23-320-01",
        "discovery": "EXTERNAL"
    },
    "solution": [
        {
            "lang": "en",
            "supportingMedia": [
                {
                    "base64": false,
                    "type": "text/html",
                    "value": "\n\n<p>Red Lion recommends users apply the <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05\">latest patches</a>&nbsp;to their products.</p><p>Red Lion recommends users apply additional mitigations to help reduce the risk:</p><ul><li>Enable user authentication, see <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU\">Red Lion instructions</a>.</li></ul><p>Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.</p><p>To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.</p><ul><li>ST-IPm-8460 \u2013 Install 8313_patch1_tcp_udr_all_blocked.tar.gz</li><li>ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch1_tcp_udr_all_blocked.tar.gz</li></ul><p>To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.</p><ul><li>ST-IPm-8460 \u2013 Install 8313_patch2_io_open.tar.gz</li><li>ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch2_io_open.tar.gz</li></ul><p>To Block all Sixnet UDR messages over TCP/IP:</p><ul><li>Enable iptables rules to block TCP/IP traffic.</li><li>In the Sixnet I/O Tool Kit go to Configuration&gt;Configuration Station/Module&gt;\"Ports\" tab&gt;Security.</li><li>Select the \"Load the this file with each station load\" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.</li></ul><p>Remove these rules from the default rc.firewall file:</p><ul><li>iptables -P INPUT DROP (Drops everything coming in)</li><li>iptables -P FORWARD DROP (Drops everything in FORWARD chain)</li></ul><p>Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:</p><ul><li>insmodip_tables (Initialization)</li><li>insmodiptable_filter (Initialization)</li><li>insmodip_conntrack (Initialization)</li><li>insmodiptable_nat (Initialization)</li><li>iptables -F INPUT (Flushes INPUT chain)</li><li>iptables -F OUTPUT (Flushes OUTPUT chain)</li><li>iptables -F FORWARD (Flushes FORWARD chain)</li><li>iptables -Z (Zero counters)</li><li>iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)</li><li>iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)</li></ul><p>For installation instructions see <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU\">Red Lion's support page</a>.</p><p>For more information, please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution\">Red Lion\u2019s security bulletin</a>.</p>\n\n<br>"
                }
            ],
            "value": "\nRed Lion recommends users apply the  latest patches https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05 \u00a0to their products.\n\nRed Lion recommends users apply additional mitigations to help reduce the risk:\n\n  *  Enable user authentication, see  Red Lion instructions https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU .\n\n\nBlocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.\n\nTo block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.\n\n  *  ST-IPm-8460 \u2013 Install 8313_patch1_tcp_udr_all_blocked.tar.gz\n  *  ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch1_tcp_udr_all_blocked.tar.gz\n\n\nTo block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.\n\n  *  ST-IPm-8460 \u2013 Install 8313_patch2_io_open.tar.gz\n  *  ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D \u2013 Install 855_patch2_io_open.tar.gz\n\n\nTo Block all Sixnet UDR messages over TCP/IP:\n\n  *  Enable iptables rules to block TCP/IP traffic.\n  *  In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>\"Ports\" tab>Security.\n  *  Select the \"Load the this file with each station load\" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.\n\n\nRemove these rules from the default rc.firewall file:\n\n  *  iptables -P INPUT DROP (Drops everything coming in)\n  *  iptables -P FORWARD DROP (Drops everything in FORWARD chain)\n\n\nAdd one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:\n\n  *  insmodip_tables (Initialization)\n  *  insmodiptable_filter (Initialization)\n  *  insmodip_conntrack (Initialization)\n  *  insmodiptable_nat (Initialization)\n  *  iptables -F INPUT (Flushes INPUT chain)\n  *  iptables -F OUTPUT (Flushes OUTPUT chain)\n  *  iptables -F FORWARD (Flushes FORWARD chain)\n  *  iptables -Z (Zero counters)\n  *  iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)\n  *  iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)\n\n\nFor installation instructions see  Red Lion's support page https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU .\n\nFor more information, please refer to  Red Lion\u2019s security bulletin https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution .\n\n\n\n\n"
        }
    ],
    "credits": [
        {
            "lang": "en",
            "value": "Nitsan Litov of Claroty Research - Team82 reported these vulnerabilities to CISA."
        }
    ],
    "impact": {
        "cvss": [
            {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
            }
        ]
    }
}