Red Lion Crimson

Plan Patch7.5ICS-CERT ICSA-22-321-01Nov 17, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Red Lion Crimson 3.0, 3.1, and 3.2 (below patched versions) are vulnerable to a path traversal issue (CWE-22) that allows an attacker to extract user credential hashes if a user opens a malicious file. The vulnerability does not allow remote code execution and requires user interaction. Credential hashes could be cracked offline to gain unauthorized access to engineering workstations or remote systems. Red Lion has released patches for all affected versions.

What this means

What could happen

An attacker could extract user credential hashes from the Crimson HMI application, potentially allowing unauthorized access to engineering workstations or remote access systems if the hashes are cracked offline.

Who's at risk

Water and electric utilities running Red Lion Crimson HMI software for SCADA or process monitoring systems should prioritize this. Specifically, any organization using Crimson 3.0, 3.1, or 3.2 to display or control industrial processes is at risk if users have access to open files from untrusted sources.

How it could be exploited

An attacker must trick a user into opening a malicious file (CWE-22 path traversal context). Once opened, the vulnerability allows the attacker to read files containing credential hashes. This requires social engineering or compromised file delivery—it cannot be exploited purely from the network.

Prerequisites

User interaction required to open a malicious file from an untrusted source
The file must be processed by Crimson on a system where it can reach credential storage
Access to the local file system where Crimson stores credential hashes

No authentication required to trigger the vulnerability once a file is openedLow complexity exploit if a user can be socially engineeredAffects credentials for engineering workstations, a common lateral movement targetNo patch available for older versions (3.0, 3.1, 3.2 below the specified thresholds)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Crimson - Crimson 3.0:≤ 707.000711.00

Crimson - Crimson 3.1:≤ 3126.0013126.02

Crimson - Crimson 3.2:≤ 3.2.0044.03.0045

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDEducate operators and engineers to avoid opening files from external sources unless verified as coming from a trusted source

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Crimson 3.0 to version 711.00 or later

HOTFIXUpdate Crimson 3.1 to version 3126.02 or later

HOTFIXUpdate Crimson 3.2 to version 3.0045 or later

Long-term hardening

0/2

HARDENINGImplement file transfer controls and validation procedures to prevent execution of untrusted files on Crimson workstations

HARDENINGIsolate Crimson HMI workstations on a secure engineering network and restrict file transfer from external or business networks

CVEs (1)

CVE-2022-3090

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/782b3ec8-0287-4d59-9ef5-8552a2f43640