Security Advisory RLCSIM-2023-04
Improper Processing of Special Character
Product and Version
FlexEdge Gateway DA50A and DA70A
Crimson 3.2.0053.18 or below
Incidents Covered
RLCSIM-2023-04 – Improper Neutralization of Special Character
Abstract and Severity
Passwords configured via the Windows-based Crimson configuration tool and downloaded to a FlexEdge device may be truncated if a percent sign is included, thereby creating weaker than intended credentials.
The vulnerability score is estimated at 8.8 for a rating of HIGH.
For More Information
The Red Lion Security Team can be reached at security-team@redlion.net. For more information on current threats and what we are doing to keep our products and software secure, please visit the link below.
https://support.redlion.net/hc/en-us/categories/360002087671-Security-Advisories
Security Advisory RLCSIM-2023-04
Improper Processing of Special Character
CVSS v3.1 Vulnerability Score
The vulnerability score is estimated using the link below at 8.8 for a rating of HIGH.
The vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
The above represents a worst-case assessment, and the exact score for a particular installation will depend upon the device configuration. For example, the Attack Vector element might be set to something other than Network in an installation that does not support remote download access. Similarly, a modified Scope element might be used if the configuration does not support writing data to other devices.
Hardware Products Affected
FlexEdge Gateway, DA50A and DA70A.
Software Versions Affected
Crimson version 3.2.0053.18 or below.
Vulnerability Details
CWE-158: Improper Neutralization of Null Byte or NUL Character
The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability.
Solution and Mitigation
The recommended solution is to update the Crimson configuration tool to version 3.2.0063 or later by using the automatic update feature or visiting the site linked below. In the meantime, devices to which a security configuration have been downloaded by an earlier version of the software should be assessed to ensure that the passwords have not been truncated by logging on with each account. Any existing or new accounts created should refrain from using the percent (%) character in the configured password in versions 3.2.0053.18 or below.
https://www.redlion.net/node/16883
Acknowledgements
Thank you to Alexander Ratelle of Hepburn Engineering Inc. for reporting this issue.
Thank you to CISA for their efforts in coordination this response.