← Back to home
ICSA-23-320-01  ·  Published 2023-11-16  ·  View on CISA ICS-CERT ↗

Red Lion Sixnet RTUs

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to execute commands with high privileges.

CVEs (2)

Remediations

  • Red Lion recommends users to apply the latest patches to their products.
  • Red Lion recommends users apply additional mitigations to help reduce the risk:
  • Enable user authentication, see Red Lion instructions.
  • Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.
  • To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.
  • ST-IPm-8460 - Install 8313_patch1_tcp_udr_all_blocked.tar.gz
  • ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D - Install 855_patch1_tcp_udr_all_blocked.tar.gz
  • To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.
  • ST-IPm-8460 - Install 8313_patch2_io_open.tar.gz
  • ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D - Install 855_patch2_io_open.tar.gz
  • To Block all Sixnet UDR messages over TCP/IP:
  • Enable iptables rules to block TCP/IP traffic.
  • In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>"Ports" tab>Security.
  • Select the "Load the this file with each station load" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.
  • Remove these rules from the default rc.firewall file
  • iptables -P INPUT DROP (Drops everything coming in)
  • iptables -P FORWARD DROP (Drops everything in FORWARD chain)
  • Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:
  • insmodip_tables (Initialization)
  • insmodiptable_filter (Initialization)
  • insmodip_conntrack (Initialization)
  • insmodiptable_nat (Initialization)
  • iptables -F INPUT (Flushes INPUT chain)
  • iptables -F OUTPUT (Flushes OUTPUT chain)
  • iptables -F FORWARD (Flushes FORWARD chain)
  • iptables -Z (Zero counters)
  • iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)
  • iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)
  • For installation instructions see Red Lion's support page.
  • For more information, please refer to Red Lion's security bulletin.

Affected Vendors

Red Lion

Affected Products (6)

Red Lion · ST-IPm-8460 >=6.0.202
Red Lion · ST-IPm-6350 >=4.9.114
Red Lion · VT-mIPm-135-D >=4.9.114
Red Lion · VT-mIPm-245-D >=4.9.114
Red Lion · VT-IPm2m-213-D >=4.9.114
Red Lion · VT-IPm2m-113-D >=4.9.114

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more