Full Report
Cybersecurity researchers have disclosed two critical security flaws impacting Red Lion Sixnet remote terminal unit (RTU) products that, if successfully exploited, could result in code execution with the highest privileges. The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770, are both rated 10.0 on the CVSS scoring system. "The vulnerabilities affect Red Lion SixTRAK and VersaTRAK
Analysis Summary
# Vulnerability: Critical Authentication Bypass and RCE in Red Lion Sixnet RTUs
## CVE Details
- CVE ID: CVE-2023-40151, CVE-2023-42770
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly listed, involves Authentication Bypass and Remote Code Execution.
## Affected Systems
- Products: Red Lion SixTRAK RTUs and VersaTRAK RTUs.
- Versions:
- ST-IPm-8460: Firmware 6.0.202 and later
- ST-IPm-6350: Firmware version 4.9.114 and later
- VT-mIPm-135-D: Firmware version 4.9.114 and later
- VT-mIPm-245-D: Firmware version 4.9.114 and later
- VT-IPm2m-213-D: Firmware version 4.9.114 and later
- VT-IPm2m-113-D: Firmware version 4.9.114 and later
- Configurations: Vulnerable when user authentication (UDR-A) is enabled on the Sixnet Universal Driver (UDR) or when user authentication is not enabled at all.
## Vulnerability Description
This summary covers two chained vulnerabilities that allow an unauthenticated attacker to achieve remote code execution with root privileges on affected Red Lion RTUs:
1. **CVE-2023-42770 (Authentication Bypass):** The Sixnet RTU software listens to the same UDP and TCP port (1594). The protocol only prompts for an authentication challenge over UDP, while accepting incoming messages over TCP without prompting for authentication. This allows an attacker to bypass authentication simply by communicating over TCP port 1594.
2. **CVE-2023-40151 (Remote Code Execution):** This flaw leverages the Sixnet Universal Driver's (UDR) built-in support for Linux shell command execution. When chaining with the authentication bypass (CVE-2023-42770), an attacker can run arbitrary commands with root privileges. If user authentication is explicitly disabled, commands are executed with the highest privileges.
## Exploitation
- Status: Proof-of-Concept (PoC) is implied as researchers disclosed the flaws, suggesting exploitability.
- Complexity: Likely Low, as it requires unauthenticated network access and chaining two related application logic flaws.
- Attack Vector: Network (Remote access to TCP port 1594 is sufficient).
## Impact
- Confidentiality: High (Root execution allows reading critical data).
- Integrity: High (Root execution allows modification of system states and processes).
- Availability: High (Root execution allows complete system disruption or shutdown).
## Remediation
### Patches
Users are advised to apply available patches released by the vendor. The advisory referenced from CISA/Vendor should contain specific patch versions addressing these issues.
### Workarounds
1. **Enable User Authentication:** Ensure user authentication (UDR-A) is enabled on the Red Lion RTU.
2. **Network Segmentation/Access Control:** Block external TCP access to port 1594 on the affected RTUs if possible (e.g., using firewalls or access control lists).
## Detection
- Indicators of Compromise: Unauthorized outbound network traffic or unusual command execution logs originating from the RTU management interface.
- Detection methods and tools: Monitor network traffic directed at TCP port 1594 on Red Lion RTUs for anomalous, unauthenticated packets. Utilize network monitoring tools configured to track ICS protocol anomalies.
## References
- Vendor Advisory (HMS Networks/Red Lion): hxxps://support.hms-networks.com/hc/en-us/articles/27220859291922-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution
- CISA ICS Advisory: hxxps://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01
- Research Report: hxxps://claroty.com/team82/research/roaring-access-exploiting-a-pre-auth-root-rce-on-sixnet-rtus