Red Lion Sixnet RTUs

Act Now10ICS-CERT ICSA-23-320-01Nov 16, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Red Lion Sixnet remote terminal units (RTUs) contain authentication bypass vulnerabilities in the UDR (Sixnet UDR) protocol handler. Affected products include ST-IPm-8460, ST-IPm-6350, VT-mIPm-135-D, VT-mIPm-245-D, VT-IPm2m-213-D, and VT-IPm2m-113-D. An unauthenticated attacker can exploit these vulnerabilities to execute arbitrary commands with elevated privileges on the device.

What this means

What could happen

An attacker could execute arbitrary commands on your RTU without authentication, potentially altering process setpoints, stopping operations, or disrupting water/power distribution to customers. This affects any networked Sixnet RTU running the vulnerable firmware versions.

Who's at risk

Water authorities and electric utilities operating Red Lion Sixnet RTUs for remote monitoring and control of distribution networks, water pumping stations, and transmission equipment. Any facility using ST-IPm-8460, ST-IPm-6350, VT-mIPm-135-D, VT-mIPm-245-D, VT-IPm2m-213-D, or VT-IPm2m-113-D models running vulnerable firmware versions.

How it could be exploited

An attacker sends a crafted Sixnet UDR message over TCP/IP to port 1594 on a vulnerable RTU. The authentication bypass allows the message to be processed without credentials, and the attacker uses UDR protocol commands to execute arbitrary code with high privileges on the device.

Prerequisites

Network access to the RTU on TCP port 1594
RTU running affected firmware version (ST-IPm-8460 v6.0.202 or later; ST-IPm-6350, VT-mIPm variants v4.9.114 or later)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (10.0)Authentication bypass flawAffects critical RTU operations

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

ST-IPm-8460: >=6.0.202≥ 6.0.2028313_patch1_tcp_udr_all_blocked.tar.gz

ST-IPm-6350: >=4.9.114≥ 4.9.114855_patch1_tcp_udr_all_blocked.tar.gz

VT-mIPm-135-D: >=4.9.114≥ 4.9.114855_patch1_tcp_udr_all_blocked.tar.gz

VT-mIPm-245-D: >=4.9.114≥ 4.9.114855_patch1_tcp_udr_all_blocked.tar.gz

VT-IPm2m-213-D: >=4.9.114≥ 4.9.114855_patch1_tcp_udr_all_blocked.tar.gz

VT-IPm2m-113-D: >=4.9.114≥ 4.9.114855_patch1_tcp_udr_all_blocked.tar.gz

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDConfigure iptables firewall rules to block TCP traffic on port 1594 (UDR port) while allowing other traffic, using the rc.firewall configuration method documented in Red Lion support

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXInstall vendor patch for your RTU model: ST-IPm-8460 install 8313_patch1_tcp_udr_all_blocked.tar.gz; ST-IPm-6350 and VT-mIPm variants install 855_patch1_tcp_udr_all_blocked.tar.gz

HARDENINGEnable user authentication on all RTUs per Red Lion instructions

Long-term hardening

0/1

HARDENINGPlace RTUs behind firewalls and isolate them from business networks to restrict external network access

CVEs (2)

CVE-2023-42770 CVE-2023-40151

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a663cb6a-6e34-4e92-99de-a987f9424ba9