This bulletin describes a vulnerability present in Red Lion’s DA50A and DA70A modular gateways when running Crimson 3.2 version 3.2.0030 or earlier. When combined with an incorrectly configured firewall, the vulnerability allows an attacker to create arbitrary connections from the subject device to hosts on both internal and external networks. This may allow unauthorized access to connected devices, or the use of the device for malicious and bandwidth-consuming activities such as the sending of unsolicited commercial email. Customers using impacted devices should immediately apply the mitigation steps described below and should upgrade their Crimson 3.2 software to the latest version as soon as possible.
This vulnerability has a CVSS score of 8.3 with a resulting severity assignment of HIGH.
The associated CVSS vector is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Note that this analysis is based upon a typical installation of the impacted products. Since the vulnerability may allow access to connected devices, it is possible that greater Confidentiality, Integrity or Availability impacts will be encountered depending on the nature and configuration of those devices. In such circumstances, the CVSS score may rise to 9.9 with a resulting severity assignment of CRITICAL.
All Red Lion part numbers starting with DA50A and DA70A, and any similar devices converted to A models.
All such devices running Crimson 3.2 version 3.2.0030 or earlier.
The subject devices contain several obsolete user accounts with trivial, fixed, and device non-specific passwords that can be used to access the SSH port forwarding facility if the SSH port is reachable by the attacker. While SSH shell access cannot be obtained, port forwarding may be used by an attacker to convert a vulnerable device into a proxy server that may subsequently be used to route traffic to other Internet hosts. This traffic will impair system performance and in the case of cellular connections may incur excess data charges. Further, attempts by an attacker to use the device as a relay for spam or phishing emails may result in the device’s IP address being blacklisted or its Internet service canceled. An attacker with knowledge of the network on which the device is installed may use port forwarding to access arbitrary ports on the device itself or on connected devices.
This exploit has already been used by attackers. In one typical case, the subject device was connected to the Internet via a cellular connection using a static, public IP address, with its firewall configured against best practice to permit SSH sessions from untrusted interfaces. This allowed the attacker to perform a dictionary attack on the SSH service and to compromise one of the obsolete user accounts. This in turn allowed the use of the subject device as an Internet-facing proxy for the transmission of what appeared to be unsolicited email, with noticeable impacts on device performance and significant excess cellular data charges.
Each interface’s trust status is configured via the appropriate page in the System Configuration:
The picture below shows the correct setting for SSH within the Untrusted Traffic configuration:
For information on whitelists, refer to the Crimson 3.2 documentation.
The mitigation steps described above will prevent attacks via Internet-facing interfaces, but the subject devices will still remain vulnerable to exploits from within a trusted network. The recommended solution is thus to update the device firmware to that included with Crimson 3.2 version 3.2.031 or later. This update can be downloaded from https://www.redlion.net/support/software-firmware/red-lion-software/crimson or by using the Check for Updates command within the configuration tool. The update disables the obsolete user accounts and the use of SSH port forwarding, thereby removing the underlying vulnerability. Note that the installation of this update does not lessen the need for the mitigation steps defined above. Preventing access to the SSH port from the Internet via appropriate firewall settings is still necessary in order to maintain system security.
