.png)
3 weeks ago
1
Two maximum severity Red Lion Sixnet remote terminal unit (RTU) vulnerabilities were detailed in a new report Tuesday, demonstrating how a remote attacker could execute commands as root on the devices with no authentication.
The flaws, which both have a CVSS score of 10.0, affect Red Lion SixTRAK and VersaTRAK RTUs, which are used in industrial controls systems (ICS) in critical infrastructure sectors including energy, water and wastewater treatment, transportation, utilities and manufacturing.
Claroty’s Team82, which discovered both flaws in 2023, withheld details about the exploits to allow organizations to patch critical systems. The vulnerabilities are tracked as CVE-2023-42770, an authentication bypass, and CVE-2023-40151, which enables the unauthenticated execution of Linux shell commands as root.
“These two CVEs together are a deadly combination […] a hacker can take complete control of the system, bypass all security, and cause significant and dangerous disruptions to any connected industrial control systems,” Patrick Münch, chief information security officer at Mondoo, told SC Media in an email.
Red Lion’s Sixnet IO Tool Kit software communicates with RTU devices over the user datagram protocol (UDP) port 1594 using Red Lion’s proprietary Sixten Universal protocol. Claroty’s report explains the user-permission system used by this protocol and the authentication layer added to protect devices from unauthorized access.
While the affected devices check for permissions and authentication before processing packets received over UDP, Team82 discovered that it performs no checks for packets received over the transmission control protocol (TCP). Therefore, an attacker can fully bypass authentication by sending messages over TCP port 1594 rather than UDP.
This flaw, CVE-2023-42770, can be chained with CVE-2023-40151 to execute remote commands with root permissions. Team82 demonstrated that any Linux shell commands sent over the Sixnet protocol, including over the TCP path and unauthenticated, are automatically executed as root.
These Red Lion RTU flaws were previously detailed in an ICS advisory from the Cybersecurity and Infrastructure Security Agency (CISA). Red Lion provided two different patch options for the vulnerabilities, one that blocks all Sixnet UDR messages over TCP and one that blocks all Sixnet UDR messages over TCP except for input/output (I/O), such as those sent from embedded devices or a supervisory control and data acquisition (SCADA) system. The company also provided instructions to manually block TCP traffic using iptables rules.
Due to the use of affected devices in critical infrastructure and industrial systems and the severity of the flaws, organizations are strongly urged to apply the necessary patches and mitigations.
“Gaining access to these systems would allow attackers to not only steal data or cause denial of service, but also manipulate the industrial process itself, potentially causing outages or equipment breakdowns,” Münch noted.
