OTPulse
FeedAboutContact

Red Lion Crimson

Plan Patch8.8ICS-CERT ICSA-23-306-01Nov 2, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Red Lion Crimson versions 3.2.0053.18 and earlier contain a vulnerability that truncates passwords configured in the tool when those passwords contain the percent (%) character. This results in weaker credentials than intended, potentially allowing unauthorized access to configured devices. The issue affects the Crimson configuration tool itself, which manages and deploys settings to multiple field devices.

What this means
What could happen
An attacker who gains access to the Crimson configuration tool could truncate passwords to weaker values, potentially allowing unauthorized access to configured devices and alteration of control system setpoints or operations.
Who's at risk
Organizations using Red Lion Crimson configuration tool to manage industrial devices, including water and electric utilities, manufacturing facilities, and any operation relying on remote configuration and password management for control devices.
How it could be exploited
An attacker with access to the Crimson configuration tool (or someone using the tool) could configure passwords containing the percent character (%). The tool would truncate these passwords, creating credentials weaker than intended. An attacker who knows the truncated version could then use those credentials to access and modify configured devices.
Prerequisites
  • Access to the Crimson configuration tool
  • Knowledge that passwords were configured with the percent (%) character
  • Crimson version 3.2.0053.18 or earlier
Password truncation weaknessAffects configuration tool with system-wide reachHigh CVSS score (8.8)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Crimson: <=3.2.0053.18≤ 3.2.0053.183.2.0063 or later
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDFor versions 3.2.0053.18 and below, avoid using the percent (%) character in configured passwords
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Crimson configuration tool to version 3.2.0063 or later
HARDENINGReview all existing passwords configured in Crimson version 3.2.0053.18 or below; if any contain the percent character, regenerate them using the updated version
Long-term hardening
0/1
HARDENINGRestrict network access to the Crimson configuration tool and devices it manages to trusted engineering networks only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/78c04e3d-27f3-4889-8c1e-33d63fda34b0
Red Lion Crimson | CVSS 8.8 - OTPulse