This bulletin describes a vulnerability present in Red Lion’s DA50A and DA70A modular gateways when running Crimson 3.2 version 3.2.0030 or earlier. When combined with an incorrectly configured firewall, the vulnerability allows an attacker to create arbitrary connections from the subject device to hosts on both internal and external networks. This may allow unauthorized access to connected devices, or the use of the device for malicious and bandwidth-consuming activities such as the sending of unsolicited commercial email. Customers using impacted devices should immediately apply the mitigation steps described below and should upgrade their Crimson 3.2 software to the latest version as soon as possible.
CVSS v3.1 Base Vulnerability Score
This vulnerability has a CVSS score of 8.3 with a resulting severity assignment of HIGH.
The associated CVSS vector is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Note that this analysis is based upon a typical installation of the impacted products. Since the vulnerability may allow access to connected devices, it is possible that greater Confidentiality, Integrity or Availability impacts will be encountered depending on the nature and configuration of those devices. In such circumstances, the CVSS score may rise to 9.9 with a resulting severity assignment of CRITICAL.
All Red Lion part numbers starting with DA50A and DA70A, and any similar devices converted to A models.
All such devices running Crimson 3.2 version 3.2.0030 or earlier.
The subject devices contain several obsolete user accounts with trivial, fixed, and device non-specific passwords that can be used to access the SSH port forwarding facility if the SSH port is reachable by the attacker. While SSH shell access cannot be obtained, port forwarding may be used by an attacker to convert a vulnerable device into a proxy server that may subsequently be used to route traffic to other Internet hosts. This traffic will impair system performance and in the case of cellular connections may incur excess data charges. Further, attempts by an attacker to use the device as a relay for spam or phishing emails may result in the device’s IP address being blacklisted or its Internet service canceled. An attacker with knowledge of the network on which the device is installed may use port forwarding to access arbitrary ports on the device itself or on connected devices.
This exploit has already been used by attackers. In one typical case, the subject device was connected to the Internet via a cellular connection using a static, public IP address, with its firewall configured against best practice to permit SSH sessions from untrusted interfaces. This allowed the attacker to perform a dictionary attack on the SSH service and to compromise one of the obsolete user accounts. This in turn allowed the use of the subject device as an Internet-facing proxy for the transmission of what appeared to be unsolicited email, with noticeable impacts on device performance and significant excess cellular data charges.
- Ensure that all Internet-facing interfaces are configured as Untrusted. Each interface on a Crimson 3.2 device may be configured as Trusted or Untrusted, with the former setting disabling the default firewall protection for that interface. If an attacker can access a Trusted interface, they will be able to mount an attack on the device’s SSH server. This will at best result in excess bandwidth usage as the attacker runs through various well-known credentials and will at worst result in the compromise of one of the obsolete accounts noted above. This risk is most significant for cellular interfaces with static, public IP addresses, as attackers constantly scan the IP ranges allocated by cellular carriers, searching for potential targets.
Each interface’s trust status is configured via the appropriate page in the System Configuration:
- Ensure that SSH traffic is not permitted through Untrusted Interfaces that are configured as Untrusted will block most network traffic except that necessary to establish VPN tunnels, but this behavior can be modified via the Untrusted Traffic section of the System Configuration. It is critical that SSH traffic is not enabled via this mechanism unless a whitelist is used to limit the source of such connections.
The picture below shows the correct setting for SSH within the Untrusted Traffic configuration:
For information on whitelists, refer to the Crimson 3.2 documentation.
- Ensure that any updated devices are rebooted after being reconfigured. While the changes described above will prevent future attacks, they will not block existing SSH sessions that may have already been established by an attacker. Devices to which these mitigation steps have been applied must thus be rebooted via the Force Reboot command on the System Information page. This page can be accessed by clicking on the serial number in the system webserver, or via the System Info button on the home page.
The mitigation steps described above will prevent attacks via Internet-facing interfaces, but the subject devices will still remain vulnerable to exploits from within a trusted network. The recommended solution is thus to update the device firmware to that included with Crimson 3.2 version 3.2.031 or later. This update can be downloaded from https://www.redlion.net/support/software-firmware/red-lion-software/crimson or by using the Check for Updates command within the configuration tool. The update disables the obsolete user accounts and the use of SSH port forwarding, thereby removing the underlying vulnerability. Note that the installation of this update does not lessen the need for the mitigation steps defined above. Preventing access to the SSH port from the Internet via appropriate firewall settings is still necessary in order to maintain system security.