Abstract: Response for ICS-CERT Security Notice
This document will help explain the necessary steps to resolve security issues discussed in the recent ICS-CERT advisory ICSA-19-248-01.
Crimson Versions Affected:
Crimson 3.0 and 3.1 (Windows Configuration Software)
Vulnerability 1: Database Tampering
Some parts of the Crimson database files are vulnerable to being tampered with. There are two recommendations to solve this issue.
- Upgrade Crimson to Crimson 3.1 version 3112.00 or later. Crimson 3.1 version 3112.00 or later will not open databases that have been tampered with.
- Restrict system access to databases for trusted users only.
Vulnerability 2: Hardcoded passwords
Databases that have been password protected have those passwords stored in the database as hardcoded passwords. There are two recommendations to solve this issue.
- The user manual in Crimson 3.1 version 3112.00 explains that database passwords are not intended to keep databases cryptographically secure. Instead, they are intended to manage user access.
- In a future version of Crimson 3.1 a second password will be available. When in use the database will be encrypted. That second password will be required to open the database.
It is important to note that the hardcoded password is only evaluated in the Windows client (Crimson) to control access levels for viewing and editing a configuration (database) file, independently of the target device. The target device itself does not use the hardcoded password and at no point is the hardcoded password used for the operation of the device’s runtime activity.
Vulnerability 3: Vulnerabilities in Crimson 3.0
There is no plan for Red Lion Controls to address the vulnerabilities reported in Crimson 3.0. Customers are encouraged to migrate to Crimson 3.1 where the model choice allows.
Red Lion recognizes the efforts of Trend Micro Zero Day Initiative/Trend Micro Research to drive security standardization.