Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Red Lion Working on Fix for Old N-Tron Industrial Wireless AP Flaw

Red Lion Controls is preparing a firmware update to address a vulnerability in the N-Tron 702-W Industrial Wireless Access Point that can be exploited by an attacker to compromise communications and the integrity of the device.

Red Lion Controls is preparing a firmware update to address a vulnerability in the N-Tron 702-W Industrial Wireless Access Point that can be exploited by an attacker to compromise communications and the integrity of the device.

According to an advisory published by ICS-CERT this week, a researcher discovered hardcoded SSH and HTTPS encryption keys that are shared across N-Tron 702-W Industrial Wireless Access Point devices. Customers do not have the ability to generate new keys for their devices.

N-Tron wireless AP

An attacker can use the keys from one product to decrypt traffic from any other device. The flaw, which affects all versions of the N-Tron 702-W Industrial Wireless Access Point, can be exploited remotely even by an attacker with low skill, ICS-CERT noted.

The vulnerability was identified by researcher Neil Smith back in 2012. Smith had been working at social risk management company ZeroFOX at the time when he discovered the vulnerability.

ICS-CERT has decided to disclose the vulnerability (CVE-2012-4716) because the vendor has been unresponsive. The existence of the security hole has been made public to warn critical infrastructure asset owners of the risk of using this N-Tron equipment.

Red Lion Controls representatives told SecurityWeek that a fix for this issue is currently in development and that a new firmware version will be deployed in the coming weeks.

Red Lion customers who want to be notified when the update becomes available are advised to contact the company’s technical support team at support(at)redlion.net.

“Red Lion is committed to providing our customers with reliable, secure industrial networking devices, and will address this issue with the highest priority,” Red Lion said in an emailed statement. “Further, we’re reviewing our internal escalation procedures regarding communiques from ICS-CERT so that we may respond in a more timely fashion to their inquiries.”

UK-based instrumentation and controls company Spectris plc acquired Mobile, Ala.-based rugged industrial networking components manufacturer N-Tron in 2010 for $51 million. In February 2013, Spectris combined N-Tron, Sixnet and Red Lion under the Red Lion brand.

N-Tron products are deployed in sectors such as energy, commercial facilities, nuclear reactors, transportation, and water and wastewater in more than 50 countries across the world.

Related: Learn More at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.