Security Experts:

Connect with us

Hi, what are you looking for?



Several Vulnerabilities Found in Red Lion HMI Software

Researchers have discovered several vulnerabilities, including ones that have been classified as serious, in a human-machine interface (HMI) programming software made by U.S.-based Red Lion.

Researchers have discovered several vulnerabilities, including ones that have been classified as serious, in a human-machine interface (HMI) programming software made by U.S.-based Red Lion.

Industrial automation and networking solutions firm Red Lion is a subsidiary of U.K.-based Spectris, a provider of highly-specialized measuring instruments and controls. According to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Red Lion’s products are used worldwide, mainly in the critical manufacturing sector.

Trend Micro researchers Michael DePlante, Anthony Fuller and Todd Manning discovered that Red Lion’s Crimson programming software, specifically versions 3.0 and prior and 3.1 prior to the 3112.00 release, are affected by four types of vulnerabilities, with multiple variations for each issue.

CISA published an advisory for these vulnerabilities last week to notify organizations using the impacted Red Lion product.

Trend Micro’s Zero Day Initiative (ZDI), through which the researchers reported their findings to the vendor, has also published advisories for each of the vulnerabilities. The security holes are tracked as CVE-2019-10996, CVE-2019-10978, CVE-2019-10984 and CVE-2019-10990.

The most serious of them allows an attacker to remotely execute arbitrary code in the context of the current process by convincing the targeted user to open a specially crafted CD3 file.

Learn More About Vulnerabilities in ICS Products at SecurityWeek’s 2019 ICS Cyber Security Conference

Another flaw is related to the existence of hardcoded passwords that can be used to access some information. Red Lion has clarified in an advisory that the issue is related to the passwords for password-protected databases being stored in the database. The company has released new documentation to clarify that these passwords are meant to help manage user access, not to keep databases cryptographically secure. Future versions of Crimson 3.1 will have a second password that will be used to encrypt a database.

“It is important to note that the hardcoded password is only evaluated in the Windows client (Crimson) to control access levels for viewing and editing a configuration (database) file, independently of the target device. The target device itself does not use the hardcoded password and at no point is the hardcoded password used for the operation of the device’s runtime activity,” Red Lion said in its advisory.

The other two vulnerabilities found by the researchers are memory corruption issues that can be used to obtain sensitive information by getting the targeted user to open a specially crafted CD31 file. ZDI noted in its advisories that these flaws can be used in combination with other weaknesses to execute arbitrary code in the context of the current process.

Red Lion has released Crimson 3.1 version 3112.00 to patch the vulnerabilities, but the company has informed customers that it does not plan on releasing an update for Crimson 3.0.

Related: ABB Patches Many Vulnerabilities in HMI Products

Related: Code Execution Flaws Found in EZAutomation PLC, HMI Software

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.