CVE-2023-40151
📋 TL;DR
This vulnerability allows attackers to bypass authentication and execute arbitrary commands with highest privileges on Red Lion SixTRAK and VersaTRAK RTUs. It affects systems where user authentication is enabled but TCP/IP connections are accepted without proper authentication challenges. Industrial control system operators using these RTUs are affected.
💻 Affected Systems
- Red Lion SixTRAK Series RTUs
- Red Lion VersaTRAK Series RTUs
📦 What is this software?
St Ipm 6350 Firmware by Redlioncontrols
St Ipm 8460 Firmware by Redlioncontrols
Vt Ipm2m 113 D Firmware by Redlioncontrols
Vt Ipm2m 213 D Firmware by Redlioncontrols
Vt Mipm 135 D Firmware by Redlioncontrols
Vt Mipm 245 D Firmware by Redlioncontrols
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing remote code execution with highest privileges, enabling attackers to manipulate industrial processes, disrupt operations, or cause physical damage.
Likely Case
Unauthorized access to RTU systems allowing configuration changes, data manipulation, or denial of service affecting industrial operations.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent unauthorized TCP/IP access to RTUs.
🎯 Exploit Status
Exploitation requires sending Sixnet UDR messages over TCP/IP to vulnerable RTUs. No authentication needed when using TCP instead of UDP.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific firmware versions
Vendor Advisory: https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution
Restart Required: Yes
Instructions:
1. Download latest firmware from Red Lion support portal. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Verify authentication works correctly for both UDP and TCP connections.
🔧 Temporary Workarounds
Disable TCP/IP access
allBlock or disable TCP/IP connections to RTUs, forcing all communication through UDP which properly challenges authentication.
Configure firewall rules to block TCP port 789 (default Sixnet port) to RTUs
Disable TCP/IP services on RTU if possible
Network segmentation
allIsolate RTUs in separate network segments with strict access controls.
Implement VLAN segmentation
Configure firewall rules to restrict RTU access to authorized systems only
🧯 If You Can't Patch
- Implement strict network access controls to limit TCP connections to RTUs from trusted sources only
- Monitor network traffic for unauthorized TCP connections to RTU ports and implement intrusion detection
🔍 How to Verify
Check if Vulnerable:
Test if Sixnet UDR messages sent over TCP/IP bypass authentication when UDP connections properly challenge it.Check Version:
Check RTU firmware version through web interface or serial console (vendor-specific commands)Verify Fix Applied:
Verify that TCP connections now require proper authentication and cannot execute privileged commands without credentials.📡 Detection & Monitoring
Log Indicators:
- Unauthorized TCP connections to RTU ports
- Authentication bypass attempts
- Privileged command execution from unexpected sources
Network Indicators:
- TCP traffic to port 789 (default Sixnet) without preceding authentication
- UDR protocol messages over TCP from unauthorized sources
SIEM Query:
source_ip NOT IN authorized_list AND dest_port=789 AND protocol=TCP🔗 References
- https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01
- https://support.redlion.net/hc/en-us/articles/19339209248269-RLCSIM-2023-05-Authentication-Bypass-and-Remote-Code-Execution
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01
