{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2023-40151",
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "state": "PUBLISHED",
        "assignerShortName": "icscert",
        "dateReserved": "2023-09-18T22:41:48.086Z",
        "datePublished": "2023-11-21T00:11:10.081Z",
        "dateUpdated": "2024-08-02T18:24:55.459Z"
    },
    "containers": {
        "cna": {
            "affected": [
                {
                    "defaultStatus": "unaffected",
                    "product": "ST-IPm-8460",
                    "vendor": "Red Lion Controls",
                    "versions": [
                        {
                            "status": "affected",
                            "version": "6.0.202"
                        }
                    ]
                },
                {
                    "defaultStatus": "unaffected",
                    "product": "ST-IPm-6350",
                    "vendor": "Red Lion Controls",
                    "versions": [
                        {
                            "status": "affected",
                            "version": "4.9.114"
                        }
                    ]
                },
                {
                    "defaultStatus": "unaffected",
                    "product": "VT-mIPm-135-D",
                    "vendor": "Red Lion Controls",
                    "versions": [
                        {
                            "status": "affected",
                            "version": "4.9.114"
                        }
                    ]
                },
                {
                    "defaultStatus": "unaffected",
                    "product": "VT-mIPm-245-D",
                    "vendor": "Red Lion Controls",
                    "versions": [
                        {
                            "status": "affected",
                            "version": "4.9.114"
                        }
                    ]
                },
                {
                    "defaultStatus": "unaffected",
                    "product": "VT-IPm2m-213-D",
                    "vendor": "Red Lion Controls",
                    "versions": [
                        {
                            "status": "affected",
                            "version": "4.9.114"
                        }
                    ]
                },
                {
                    "defaultStatus": "unaffected",
                    "product": "VT-IPm2m-113-D",
                    "vendor": "Red Lion Controls",
                    "versions": [
                        {
                            "status": "affected",
                            "version": "4.9.114"
                        }
                    ]
                }
            ],
            "credits": [
                {
                    "lang": "en",
                    "type": "finder",
                    "user": "00000000-0000-4000-9000-000000000000",
                    "value": "Nitsan Litov of Claroty Research - Team82 reported these vulnerabilities to CISA."
                }
            ],
            "datePublic": "2023-11-16T18:00:00.000Z",
            "descriptions": [
                {
                    "lang": "en",
                    "supportingMedia": [
                        {
                            "base64": false,
                            "type": "text/html",
                            "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.</span>\n\n</span>\n\n"
                        }
                    ],
                    "value": "\n\n\nWhen user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.\n\n\n\n"
                }
            ],
            "metrics": [
                {
                    "cvssV3_1": {
                        "attackComplexity": "LOW",
                        "attackVector": "NETWORK",
                        "availabilityImpact": "HIGH",
                        "baseScore": 10,
                        "baseSeverity": "CRITICAL",
                        "confidentialityImpact": "HIGH",
                        "integrityImpact": "HIGH",
                        "privilegesRequired": "NONE",
                        "scope": "CHANGED",
                        "userInteraction": "NONE",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                        "version": "3.1"
                    },
                    "format": "CVSS",
                    "scenarios": [
                        {
                            "lang": "en",
                            "value": "GENERAL"
                        }
                    ]
                }
            ],
            "problemTypes": [
                {
                    "descriptions": [
                        {
                            "cweId": "CWE-749",
                            "description": "CWE-749  Exposed Dangerous Method Or Function",
                            "lang": "en",
                            "type": "CWE"
                        }
                    ]
                }
            ],
            "providerMetadata": {
                "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
                "shortName": "icscert",
                "dateUpdated": "2023-11-21T00:11:10.081Z"
            },
            "references": [
                {
                    "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01"
                },
                {
                    "url": "https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution"
                }
            ],
            "solutions": [
                {
                    "lang": "en",
                    "supportingMedia": [
                        {
                            "base64": false,
                            "type": "text/html",
                            "value": "\n\n<p>Red Lion recommends users apply the <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05\">latest patches</a>&nbsp;to their products.</p><p>Red Lion recommends users apply additional mitigations to help reduce the risk:</p><ul><li>Enable user authentication, see <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU\">Red Lion instructions</a>.</li></ul><p>Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.</p><p>To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.</p><ul><li>ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz</li><li>ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz</li></ul><p>To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.</p><ul><li>ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz</li><li>ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz</li></ul><p>To Block all Sixnet UDR messages over TCP/IP:</p><ul><li>Enable iptables rules to block TCP/IP traffic.</li><li>In the Sixnet I/O Tool Kit go to Configuration&gt;Configuration Station/Module&gt;\"Ports\" tab&gt;Security.</li><li>Select the \"Load the this file with each station load\" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.</li></ul><p>Remove these rules from the default rc.firewall file:</p><ul><li>iptables -P INPUT DROP (Drops everything coming in)</li><li>iptables -P FORWARD DROP (Drops everything in FORWARD chain)</li></ul><p>Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:</p><ul><li>insmodip_tables (Initialization)</li><li>insmodiptable_filter (Initialization)</li><li>insmodip_conntrack (Initialization)</li><li>insmodiptable_nat (Initialization)</li><li>iptables -F INPUT (Flushes INPUT chain)</li><li>iptables -F OUTPUT (Flushes OUTPUT chain)</li><li>iptables -F FORWARD (Flushes FORWARD chain)</li><li>iptables -Z (Zero counters)</li><li>iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)</li><li>iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)</li></ul><p>For installation instructions see <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU\">Red Lion's support page</a>.</p><p>For more information, please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution\">Red Lion’s security bulletin</a>.</p>\n\n<br>"
                        }
                    ],
                    "value": "\nRed Lion recommends users apply the  latest patches https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05  to their products.\n\nRed Lion recommends users apply additional mitigations to help reduce the risk:\n\n  *  Enable user authentication, see  Red Lion instructions https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU .\n\n\nBlocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.\n\nTo block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.\n\n  *  ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz\n  *  ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz\n\n\nTo block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.\n\n  *  ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz\n  *  ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz\n\n\nTo Block all Sixnet UDR messages over TCP/IP:\n\n  *  Enable iptables rules to block TCP/IP traffic.\n  *  In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>\"Ports\" tab>Security.\n  *  Select the \"Load the this file with each station load\" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.\n\n\nRemove these rules from the default rc.firewall file:\n\n  *  iptables -P INPUT DROP (Drops everything coming in)\n  *  iptables -P FORWARD DROP (Drops everything in FORWARD chain)\n\n\nAdd one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:\n\n  *  insmodip_tables (Initialization)\n  *  insmodiptable_filter (Initialization)\n  *  insmodip_conntrack (Initialization)\n  *  insmodiptable_nat (Initialization)\n  *  iptables -F INPUT (Flushes INPUT chain)\n  *  iptables -F OUTPUT (Flushes OUTPUT chain)\n  *  iptables -F FORWARD (Flushes FORWARD chain)\n  *  iptables -Z (Zero counters)\n  *  iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)\n  *  iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)\n\n\nFor installation instructions see  Red Lion's support page https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU .\n\nFor more information, please refer to  Red Lion’s security bulletin https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution .\n\n\n\n\n"
                }
            ],
            "source": {
                "advisory": "ICSA-23-320-01",
                "discovery": "EXTERNAL"
            },
            "title": "Red Lion Controls Sixnet RTU Exposed Dangerous Method Or Function",
            "x_generator": {
                "engine": "Vulnogram 0.1.0-dev"
            }
        },
        "adp": [
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-02T18:24:55.459Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            }
        ]
    }
}