Red Lion Controls Crimson

Plan Patch7.8ICS-CERT ICSA-19-248-01Sep 5, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Red Lion Controls Crimson versions 3.0 and earlier contain multiple memory safety vulnerabilities (CWE-416 use-after-free, CWE-119 buffer overflow, CWE-824 access of uninitialized pointer, CWE-321 hardcoded cryptographic key). These allow local code execution with high impact on confidentiality, integrity, and availability. The hardcoded key vulnerability (CVE-2019-10990) specifically affects the database protection mechanism, which is not designed as a cryptographically secure method of protection. Exploitation requires local access and user interaction (opening an unsolicited file).

What this means

What could happen

An attacker with local access to a Crimson workstation could execute arbitrary code with the privileges of the logged-in user, potentially altering HMI configurations, process parameters, or operator credentials. Database files can be decrypted using hardcoded keys, exposing engineering configurations and sensitive operational data.

Who's at risk

Organizations using Red Lion Controls Crimson HMI/SCADA engineering software on Windows workstations should prioritize this—Crimson is widely deployed in water, electric, oil/gas, and manufacturing plants as the primary visualization and control interface. Plant engineers, system integrators, and operators who use Crimson for configuration and monitoring are at risk if workstations are not patched.

How it could be exploited

An attacker crafts a malicious file or email attachment and tricks an authorized operator into opening it on a workstation running Crimson 3.0 or earlier. The memory safety vulnerability is triggered, allowing code execution. Alternatively, an attacker with local file system access could extract encrypted Crimson database files and decrypt them using the hardcoded cryptographic keys embedded in the software.

Prerequisites

Local access to the workstation running Crimson
Ability to get an authorized user to open a crafted file or attachment
OR read access to encrypted Crimson database files on disk

Local code execution possibleHardcoded cryptographic keysUser interaction required but plausible (file/email attachment)Low complexity exploitationAffects engineering workstations and control logic

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Crimson:≤ 3.03.1 release 3112.00 or later

Crimson:< 3.1 release 3112.003.1 release 3112.00 or later

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict system access to Crimson workstations to authorized engineering and operations personnel only; apply least privilege access controls

WORKAROUNDTrain operators and engineers on email security: do not click links or open unsolicited attachments in email messages

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Crimson to version 3.1 release 3112.00 or later

HARDENINGImplement endpoint protection (antivirus/EDR) on Crimson workstations to detect malicious code execution

WORKAROUNDWhen upgrading to Crimson 3.1 release 3112.00, review the updated user manual guidance on database protection limitations and plan for the optional second file access password feature in the September 2019 release

Long-term hardening

0/1

HARDENINGSegment Crimson engineering workstations from untrusted networks using firewall rules; limit inbound access to known management consoles only

CVEs (4)

CVE-2019-10996 CVE-2019-10978 CVE-2019-10984 CVE-2019-10990

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8100702f-e77c-4ac7-80f6-c6c4983b8546