Red Lion’s DA50A and DA70A products running Crimson 3.2 software prior to version 3.2.0051 contain a vulnerability whereby authorized users with Edit Configuration privileges can download an updated configuration that contains a new set of user definitions, thereby elevating their own rights to those of an administrator. Customers who use Crimson’s security manager to segregate users into classes with different access rights should update their software to prevent privilege escalation. Customers who use only a single administrative account and who have no accounts with Edit Configuration privileges are not impacted.
CVSS v3.1 Base Vulnerability Score
The estimated score for this vulnerability is 8.0 (HIGH) with a vector of:
Depending on how the device is installed the above score can be modified using the environmental score. For example, in an installation that does not support such remote access the Modified Attack Vector could be used resulting in a lower score. Similarly, a Modified Scope could be applied if there are no other components or data cannot be written to those components resulting in a lower score.
Hardware Products Affected
All Red Lion part numbers starting with DA50A and DA70A, and any similar devices converted to A models.
Software Versions Affected
Crimson 3.2.0050 and earlier.
The abstract provides a sufficient description of the vulnerability.
It is recommended to update the device firmware to that included with Crimson 3.2 version 3.2.051 or later. This update can be downloaded from https://www.redlion.net/support/software-firmware/red-lion-software/crimson or by using the Check for Updates command within the Crimson 3.2 configuration tool.
Until the update is applied, users with Edit Configuration privileges should have their access to the subject device revoked. If they need to update the configuration of the device in the meantime, they should be required to seek authorization from a user with administrative access.