11 September 2019

Multiple vulnerabilities identified in Red Lion Controls Crimson software

Multiple vulnerabilities have been identified in Crimson, a software product by Red Lion Controls. Successful exploitation of the vulnerabilities could allow an attacker to execute arbitrary code, crash the device or view protected data.

The vulnerabilities affect versions 3.0 and 3.1 of the software (all releases prior to 3112.00).

The vulnerabilities identified include:

  • CVE-2019-10996 – multiple vulnerabilities caused by the improper use of memory by the software (Use After Free error). A CVSS v.3 base score of 7.8 has been calculated for these vulnerabilities.
  • CVE-2019-10978 – multiple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerabilities. These vulnerabilities have been assigned a CVSS v.3 base score of 3.3.
  • CVE-2019-10984 – multiple vulnerabilities caused by pointer issues. This issue has been assigned a CVSS v.3 base score of 7.8.
  • CVE-2019-10990 – a vulnerability associated with the use of a hardcoded password to encrypt protected files in transit and at rest, which could allow an attacker to access configuration files. A CVSS v.3 base score of 6.5 has been calculated for this vulnerability.

To exploit CVE-2019-10996, CVE-2019-10978 and CVE-2019-10984, an attacker needs to make sure that a valid user opens a specially crafted malicious input file. To address these vulnerabilities, the vendor recommends updating the software to version 3.1 (release 3112.00 or later).

With respect to CVE-2019-10990, the user manual for Crimson 3.1 release 3112.00 now includes a paragraph explaining that the software is not intended for cryptographically secure protection of the database. In a later version, scheduled to be released in September 2019, Red Lion Controls plan to modify the existing database protection scheme so that it includes an option to use a second password designed to encrypt the data.

Sources: ICS-CERT, Red Lion