Product and Version
SixTRAK and VersaTRAK RTUs ST-IPm-8460, ST-IPm-6350, VT-mIPm-135-D, VT-IPm2m-213-D, VT-IPm2m-113-D
Firmware version 6.0.202 and above and 4.9.114 and above
Incidents Covered
- RLCSIM-2023-05a – Sixnet Universal Protocol - Authentication Bypass
- RLCSIM-2023-05b – Sixnet Universal Protocol – Privileged Remote Code Execution
Abstract and Severity
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message received over TCP/IP the RTU will accept the message with no authentication challenge. When user authentication is not enabled the shell can execute commands with the highest privileges.
The vulnerability score is estimated at 10.0 for a rating of HIGH.
For More Information
The Red Lion Security Team can be reached at security-team@redlion.net. For more information on current threats and what we are doing to keep our products and software secure, please visit the link below.
https://support.redlion.net/hc/en-us/categories/360002087671-Security-Advisories
Security Advisory RLCSIM-2023-05a
Sixnet Universal Protocol – Authentication Bypass
CVSS v3.1 Vulnerability Score
The vulnerability score is estimated using the link below at 10.0 for a rating of HIGH.
The vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Depending on how the device is installed the above score can be modified using the environmental score. For example, the Modified Attack Vector element could be set to something other than Network in an installation that does not support remote access resulting in a lower score. Similarly, a Modified Scope element can be used when writing data to other components of the controls system is not possible or if no significant impact will result.
Hardware Products Affected
SixTRAK and VersaTRAK RTUs ST-IPm-8460, ST-IPm-6350, VT-mIPm-135-D, VT-IPm2m-213-D, VT-IPm2m-113-D
Software Versions Affected
Firmware version 6.0.202 and above (Supported in ST-IPm-8460)
Firmware version 4.9.114 and above (Supported in ST-IPm-6350, VT-mIPm-245-D, VT-mIPm-135-D, VT-IPm2m-213-D, VT-IPm2m-113-D)
Vulnerability Details
CWE-288: Authentication Bypass using an Alternative Path or Channel
CVE-2023-42770
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
In some cases, blocking every message may not be desired. For example, when transferring I/O messages from a Red Lion RTU and another embedded device or the Red Lion RTU and a SCADA system. In this case management or undocumented commands will be blocked or authenticated while I/O Messages remain available.
Solution and Mitigation
Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.
Method 1 for blocking all Sixnet UDR messages over TCP/IP
To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.
ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz
ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz
For installation instructions see:
Download the patches here:
Method 2 for blocking all but the I/O commands
To block all Sixnet UDR messages except I/O commands over TCP/IP install Patch2_io_open.tar.gz.
ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz
ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz
For installation instructions see:
Download the patches here:
Method 3 for blocking all Sixnet UDR messages over TCP/IP
Enable iptables rules to block TCP/IP traffic.
- In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>”Ports” tab>Security.
- Select the “Load the this file with each station load” radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.
# Drop everything coming in iptables -P INPUT DROP # Drop everything in FORWARD chain iptables -P FORWARD DROP |
Remove these rules from the default rc.firewall file
3. Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594
#!/bin/sh # Initialization insmodip_tables insmodiptable_filter insmodip_conntrack insmodiptable_nat # Flush INPUT chain iptables -F INPUT # Flush OUTPUT chain iptables -F OUTPUT # Flush FORWARD chain iptables -F FORWARD # Zero counters iptables -Z # Drop everything coming in # Drop everything in FORWARD chain # Accept everything going out iptables -P OUTPUT ACCEPT # Allow local traffic # Block all TCP traffic coming on port 1594 iptables -A INPUT -p tcp --dport 1594 -j DROP |
Example rc.firewall rules blocking Sixnet UDR TCP/IP
Acknowledgements
Thank you to Nitsan Litov of Claroty Research - Team82 for reporting this issue.
Thank you to CISA for their efforts in coordination this response.
Security Advisory RLCSIM-2023-05b
Sixnet Universal Protocol – Privileged Remote Code Execution
CVSS v3.1 Vulnerability Score
The vulnerability score is estimated using the link below at 10.0 for a rating of HIGH.
The vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Depending on how the device is installed the above score can be modified using the environmental score. For example, the Modified Attack Vector element could be set to something other than Network in an installation that does not support remote access resulting in a lower score. Similarly, a Modified Scope element can be used when writing data to other components of the controls system is not possible or if no significant impact will result.
Hardware Products Affected
SixTRAK and VersaTRAK RTUs ST-IPm-8460, ST-IPm-6350, VT-mIPm-135-D, VT-IPm2m-213-D, VT-IPm2m-113-D
Software Versions Affected
Firmware version 6.0.202 and above (Supported in ST-IPm-8460)
Firmware version 4.9.114 and above (Supported in ST-IPm-6350, VT-mIPm-245-D, VT-mIPm-135-D, VT-IPm2m-213-D, VT-IPm2m-113-D)
Vulnerability Details
CWE-749: Exposed Dangerous Method or Function
CVE-2023-40151
One of the commands supported by Sixnet UDR in the Red Lion SixTRAK and VersaTRAK RTUs is Linux shell command execution. When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.
Solution and Mitigation
A combination of enabling user authentication and blocking messages of TCP must be utilized.
Enable user authentication in the Red Lion RTU and block all or most messages on TCP. Enabling user authentication will not allow privileged remote code execution over UDP/IP without a user authentication challenge. Blocking all or most messages over TCP/IP and UDP/IP will block access to the RTU privileged remote codes remote codes.
Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.
Method 1 for enabling user authentication
Enable user authentication.
For instructions on enabling user authentication see:
Method 2 for blocking all Sixnet UDR messages over TCP/IP
To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.
ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz
ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz
For patch installation instructions see:
Download the patches here:
Method 3 for blocking all but the I/O commands
To block all Sixnet UDR messages except I/O commands over TCP/IP install Patch2_io_open.tar.gz.
ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz
ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz
For patch installation instructions see:
Download the patches here:
Method 4 for blocking all Sixnet UDR messages over TCP/IP
Enable iptables rules to block TCP/IP traffic.
- In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>”Ports” tab>Security.
- Select the “Load the this file with each station load” radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.
# Drop everything coming in iptables -P INPUT DROP # Drop everything in FORWARD chain iptables -P FORWARD DROP |
Remove these rules below from the default rc.firewall file.
3. Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594
#!/bin/sh # Initialization insmodip_tables insmodiptable_filter insmodip_conntrack insmodiptable_nat # Flush INPUT chain iptables -F INPUT # Flush OUTPUT chain iptables -F OUTPUT # Flush FORWARD chain iptables -F FORWARD # Zero counters iptables -Z # Drop everything coming in # Drop everything in FORWARD chain # Accept everything going out iptables -P OUTPUT ACCEPT # Allow local traffic # Block all TCP traffic coming on port 1594 iptables -A INPUT -p tcp --dport 1594 -j DROP |
Example rc.firewall rules blocking Sixnet UDR TCP/IP
Acknowledgements
Thank you to Nitsan Litov of Claroty Research - Team82 for reporting this issue.
Thank you to CISA for their efforts in coordination this response.