CVE-2023-40151

Red Lion Controls Sixnet RTU Exposed Dangerous Method Or Function

Description

When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.

Remediation

Solution:

  • Red Lion recommends users apply the latest patches https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05  to their products. Red Lion recommends users apply additional mitigations to help reduce the risk: * Enable user authentication, see Red Lion instructions https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU . Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored. To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz. * ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz. * ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz To Block all Sixnet UDR messages over TCP/IP: * Enable iptables rules to block TCP/IP traffic. * In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>"Ports" tab>Security. * Select the "Load the this file with each station load" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface. Remove these rules from the default rc.firewall file: * iptables -P INPUT DROP (Drops everything coming in) * iptables -P FORWARD DROP (Drops everything in FORWARD chain) Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands: * insmodip_tables (Initialization) * insmodiptable_filter (Initialization) * insmodip_conntrack (Initialization) * insmodiptable_nat (Initialization) * iptables -F INPUT (Flushes INPUT chain) * iptables -F OUTPUT (Flushes OUTPUT chain) * iptables -F FORWARD (Flushes FORWARD chain) * iptables -Z (Zero counters) * iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out) * iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594) For installation instructions see Red Lion's support page https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU . For more information, please refer to Red Lion’s security bulletin https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution .

Category

10.0
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.25%
Vendor Advisory redlion.net
Affected: Red Lion Controls ST-IPm-8460
Affected: Red Lion Controls ST-IPm-6350
Affected: Red Lion Controls VT-mIPm-135-D
Affected: Red Lion Controls VT-mIPm-245-D
Affected: Red Lion Controls VT-IPm2m-213-D
Affected: Red Lion Controls VT-IPm2m-113-D
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01 third party advisory us government resource
https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution patch vendor advisory mitigation

Frequently Asked Questions

What is the severity of CVE-2023-40151?
CVE-2023-40151 has been scored as a critical severity vulnerability.
How to fix CVE-2023-40151?
To fix CVE-2023-40151: Red Lion recommends users apply the latest patches https://support.redlion.net/hc/en-us/articles/19338927539981-SixTRAK-and-VersaTRAK-Security-Patch-RLCSIM-2023-05  to their products. Red Lion recommends users apply additional mitigations to help reduce the risk: * Enable user authentication, see Red Lion instructions https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU . Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored. To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz. * ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz. * ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz * ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz To Block all Sixnet UDR messages over TCP/IP: * Enable iptables rules to block TCP/IP traffic. * In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>"Ports" tab>Security. * Select the "Load the this file with each station load" radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface. Remove these rules from the default rc.firewall file: * iptables -P INPUT DROP (Drops everything coming in) * iptables -P FORWARD DROP (Drops everything in FORWARD chain) Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands: * insmodip_tables (Initialization) * insmodiptable_filter (Initialization) * insmodip_conntrack (Initialization) * insmodiptable_nat (Initialization) * iptables -F INPUT (Flushes INPUT chain) * iptables -F OUTPUT (Flushes OUTPUT chain) * iptables -F FORWARD (Flushes FORWARD chain) * iptables -Z (Zero counters) * iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out) * iptables -A INPUT -p tcp --dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594) For installation instructions see Red Lion's support page https://support.redlion.net/hc/en-us/articles/18190385510797-ACCESS-RTU-and-IO-How-to-install-a-patch-or-package-to-the-RTU . For more information, please refer to Red Lion’s security bulletin https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution .
Is CVE-2023-40151 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-40151 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-40151?
CVE-2023-40151 affects Red Lion Controls ST-IPm-8460, Red Lion Controls ST-IPm-6350, Red Lion Controls VT-mIPm-135-D, Red Lion Controls VT-mIPm-245-D, Red Lion Controls VT-IPm2m-213-D, Red Lion Controls VT-IPm2m-113-D.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.