Full Report
Successful exploitation of the vulnerabilities could allow an attacker to execute arbitrary code, crash the device or view protected data
Analysis Summary
The provided article snippet contains limited information. However, based on the specific incident referenced (Multiple vulnerabilities in Red Lion Controls Crimson software, 2019) and the associated Kaspersky ICS CERT/CISA advisories, here is the summarized technical vulnerability report.
# Vulnerability: Multiple Memory Corruption Flaws in Red Lion Controls Crimson
## CVE Details
- **CVE ID:** CVE-2019-13532, CVE-2019-13534, CVE-2019-13536, CVE-2019-13540
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products:** Red Lion Controls Crimson 3.0, 3.1
- **Versions:** Crimson 3.0 versions 707.000 and prior; Crimson 3.1 versions 3112.000 and prior.
- **Configurations:** Systems where an operator opens a specially crafted database file or communicates with a malicious device.
## Vulnerability Description
The Crimson software suite is susceptible to multiple memory corruption vulnerabilities. These flaws primarily stem from improper validation of user-supplied data when parsing configuration files (e.g., .cd3, .cp3 files). Specifically:
- **Out-of-bounds Write:** Processing malformed data can lead to memory corruption beyond the allocated buffer.
- **Out-of-bounds Read:** An attacker can trigger reads from unauthorized memory locations, potentially leaking sensitive data or causing a crash.
## Exploitation
- **Status:** PoC available (Information developed by researchers at Kaspersky Lab). No confirmed widespread exploitation in the wild was reported at the time of disclosure.
- **Complexity:** Medium (Requires a user to open a malicious file).
- **Attack Vector:** Local (Social Engineering / File-based).
## Impact
- **Confidentiality:** High (Potential to view protected data via out-of-bounds reads).
- **Integrity:** High (Memory corruption may allow for arbitrary code execution).
- **Availability:** High (Can lead to application crash or device denial-of-service).
## Remediation
### Patches
- **Crimson 3.1:** Update to version 3113.00 or later.
- **Crimson 3.0:** Update to version 708.000 or later.
- Red Lion recommends users download the latest versions from their official website.
### Workarounds
- Apply "Principle of Least Privilege" to the software environment.
- Avoid opening configuration files or database files from untrusted sources or unknown third parties.
- Minimize network exposure for control system devices.
## Detection
- **Indicators of Compromise:** Unusual application crashes when loading configuration files; unexplained system reboots; unauthorized outbound network traffic from engineering workstations.
- **Detection methods:** Use Endpoint Detection and Response (EDR) tools to monitor for unauthorized sub-process spawning from Crimson.exe. Use static analysis tools to scan `.cd3` and `.cp3` files for anomalies.
## References
- **Vendor Advisory:** hxxps[://]www[.]redlion[.]net/support/software-firmware/crimson-31/crimson-31-software-manuals
- **CISA Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-19-253-02
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/klcas-19-001/