"Red Lion's Sixnet RTUs provide advanced automation, control, and data acquisition capabilities in industrial automation and control systems, primarily across energy, water, and wastewater treatment, transportation, utilities, and manufacturing sectors. These industrial devices are configured using a Windows utility called Sixnet IO Tool Kit, with a proprietary Sixnet "Universal" protocol used to interface and enable communication between the kit and the RTUs."
"There also exists a user-permission system atop this mechanism to support file management, set/get station information, obtain Linux kernel and boot version, among others, over the UDP protocol. The two vulnerabilities identified by Claroty are listed below - CVE-2023-42770 - An authentication bypass that arises as a result of the Sixnet RTU software listening to the same port (number 1594) in UDP and TCP that only prompts for an authentication challenge over UDP, while accepting the incoming message over TCP without prompting for any authentication"
Two critical vulnerabilities (CVE-2023-42770 and CVE-2023-40151) affect Red Lion SixTRAK and VersaTRAK Sixnet RTUs and carry CVSS scores of 10.0. One flaw is an authentication bypass caused by the RTU listening on the same port (1594) for UDP and TCP while prompting for authentication only over UDP, enabling TCP messages to be accepted unauthenticated. The other flaw leverages the Sixnet Universal Driver's built-in support for Linux shell command execution to run arbitrary code as root. The two flaws can be chained to bypass authentication and achieve remote root code execution. Sixnet RTUs are configured via a Windows Sixnet IO Tool Kit using a proprietary "Universal" protocol and include a UDP-based user-permission system for file and station management.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]