Recent cybersecurity research has unveiled two critical vulnerabilities in Red Lion’s Sixnet remote terminal units (RTUs), devices integral to industrial automation and control systems. These flaws, identified as CVE-2023-40151 and CVE-2023-42770, each carry a maximum severity rating of 10.0 on the Common Vulnerability Scoring System (CVSS), indicating their potential to cause significant harm if exploited.
Understanding the Vulnerabilities
Red Lion’s Sixnet RTUs, including the SixTRAK and VersaTRAK series, are widely used across sectors such as energy, water treatment, transportation, utilities, and manufacturing. These devices facilitate automation, control, and data acquisition, making them critical components in industrial operations.
The vulnerabilities were discovered by Claroty’s Team 82, who reported that these flaws could allow an unauthenticated attacker to execute commands with root privileges, effectively granting full control over the affected devices.
Technical Details
1. CVE-2023-42770: Authentication Bypass
This vulnerability arises from the RTU software’s handling of the Sixnet Universal Driver (UDR) protocol. The RTUs listen on port 1594 for both UDP and TCP traffic. While an authentication challenge is presented for messages received over UDP, the same messages sent over TCP are accepted without any authentication. This discrepancy allows attackers to bypass authentication by communicating over TCP.
2. CVE-2023-40151: Remote Code Execution
The second flaw exploits the UDR’s built-in support for executing Linux shell commands. An attacker can leverage this feature to run arbitrary code with root privileges, leading to complete control over the RTU.
Potential Impact
The combination of these vulnerabilities is particularly concerning. An attacker could first bypass authentication using CVE-2023-42770 and then execute arbitrary commands with root privileges via CVE-2023-40151. This chain of exploits could result in unauthorized control over industrial processes, leading to operational disruptions, data breaches, or even physical damage to infrastructure.
Affected Products
According to advisories from Red Lion and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the following products are impacted:
– ST-IPm-8460: Firmware 6.0.202 and later
– ST-IPm-6350: Firmware version 4.9.114 and later
– VT-mIPm-135-D: Firmware version 4.9.114 and later
– VT-mIPm-245-D: Firmware version 4.9.114 and later
– VT-IPm2m-213-D: Firmware version 4.9.114 and later
– VT-IPm2m-113-D: Firmware version 4.9.114 and later
Mitigation Measures
To address these vulnerabilities, Red Lion has released patches and provided specific recommendations:
– Apply Patches: Users should update their devices to the latest firmware versions as provided by Red Lion.
– Enable User Authentication: Ensure that user authentication is enabled on the RTUs to prevent unauthorized access.
– Restrict TCP Access: Block or limit Sixnet UDR messages over TCP/IP to eliminate the authentication bypass issue.
CISA also advises organizations to implement proactive cybersecurity strategies, such as minimizing network exposure for control system devices, locating control system networks behind firewalls, and isolating them from business networks.
Conclusion
The discovery of these critical vulnerabilities underscores the importance of robust cybersecurity measures in industrial control systems. Organizations utilizing Red Lion’s Sixnet RTUs should promptly apply the recommended patches and follow the outlined mitigation strategies to safeguard their operations against potential cyber threats.
