Several Vulnerabilities Found in Red Lion HMI Software

Researchers have discovered several vulnerabilities, including ones that have been classified as serious, in a human-machine interface (HMI) programming software made by U.S.-based Red Lion.

Industrial automation and networking solutions firm Red Lion is a subsidiary of U.K.-based Spectris, a provider of highly-specialized measuring instruments and controls. According to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Red Lion’s products are used worldwide, mainly in the critical manufacturing sector.

Trend Micro researchers Michael DePlante, Anthony Fuller and Todd Manning discovered that Red Lion’s Crimson programming software, specifically versions 3.0 and prior and 3.1 prior to the 3112.00 release, are affected by four types of vulnerabilities, with multiple variations for each issue.

CISA published an advisory for these vulnerabilities last week to notify organizations using the impacted Red Lion product.

Trend Micro’s Zero Day Initiative (ZDI), through which the researchers reported their findings to the vendor, has also published advisories for each of the vulnerabilities. The security holes are tracked as CVE-2019-10996, CVE-2019-10978, CVE-2019-10984 and CVE-2019-10990.

The most serious of them allows an attacker to remotely execute arbitrary code in the context of the current process by convincing the targeted user to open a specially crafted CD3 file.

Learn More About Vulnerabilities in ICS Products at SecurityWeek’s 2019 ICS Cyber Security Conference

Another flaw is related to the existence of hardcoded passwords that can be used to access some information. Red Lion has clarified in an advisory that the issue is related to the passwords for password-protected databases being stored in the database. The company has released new documentation to clarify that these passwords are meant to help manage user access, not to keep databases cryptographically secure. Future versions of Crimson 3.1 will have a second password that will be used to encrypt a database.

“It is important to note that the hardcoded password is only evaluated in the Windows client (Crimson) to control access levels for viewing and editing a configuration (database) file, independently of the target device. The target device itself does not use the hardcoded password and at no point is the hardcoded password used for the operation of the device’s runtime activity,” Red Lion said in its advisory.

The other two vulnerabilities found by the researchers are memory corruption issues that can be used to obtain sensitive information by getting the targeted user to open a specially crafted CD31 file. ZDI noted in its advisories that these flaws can be used in combination with other weaknesses to execute arbitrary code in the context of the current process.

Red Lion has released Crimson 3.1 version 3112.00 to patch the vulnerabilities, but the company has informed customers that it does not plan on releasing an update for Crimson 3.0.

Related: ABB Patches Many Vulnerabilities in HMI Products

Related: Code Execution Flaws Found in EZAutomation PLC, HMI Software