1. Introduction
Nessus detected a device with RedLion Crimson programming Protocol enabled. This means the protocol used for configuring RedLion programmable logic controllers is accessible, potentially allowing unauthorised changes to device settings. This affects industrial control systems and could lead to disruption of operations or data compromise. A successful attack could impact confidentiality, integrity, and availability of controlled processes.
2. Technical Explanation
The vulnerability occurs when the RedLion Crimson protocol remains active on a device without restriction. An attacker can connect to the port used by this protocol and send commands to modify the controller’s configuration. The main precondition is network connectivity to the affected device. There is no known CVE associated with this specific detection, but similar issues exist in industrial control systems. For example, an attacker could use a scripting language like Python to establish a connection and upload malicious code.
- Exploit mechanism: An attacker connects to the device on the relevant port (typically TCP 502) and uses the Crimson protocol commands to modify the PLC’s program or settings.
- Scope: RedLion Crimson programmable logic controllers are affected. Specific versions depend on firmware configurations.
3. Detection and Assessment
Confirming vulnerability involves checking if the protocol is listening on the device. A quick check can be done using network scanning tools, while a thorough method requires analysing the PLC’s configuration.
- Quick checks: Use
netstat -an | grep 502to see if port 502 is in a listening state. - Scanning: Nessus plugin ID 16879 can detect this issue. Other vulnerability scanners may have similar checks, but results should be verified.
- Logs and evidence: Review device logs for connections on TCP port 502 from unexpected sources.
netstat -an | grep 5024. Solution / Remediation Steps
The solution is to disable the RedLion Crimson protocol if it’s not required, or restrict access using firewall rules.
4.1 Preparation
- Ensure you have valid credentials to access and modify the PLC configuration. A roll back plan is to restore the backed-up configuration.
- A change window may be needed for production systems, requiring approval from operations teams.
4.2 Implementation
- Step 1: Log in to the RedLion Crimson software or web interface.
- Step 2: Navigate to the communication settings section.
- Step 3: Disable the Crimson protocol, if possible.
- Step 4: If disabling is not an option, restrict access to the port using firewall rules allowing only trusted IP addresses.
- Step 5: Save the configuration and restart the PLC if required.
4.3 Config or Code Example
Before
// Crimson protocol enabled (example configuration)
Communication.CrimsonEnabled = True
Firewall.AllowAllIPs = True
After
// Crimson protocol disabled and access restricted (example configuration)
Communication.CrimsonEnabled = False
Firewall.AllowedIPs = [192.168.1.10, 10.0.0.5]
4.4 Security Practices Relevant to This Vulnerability
List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence.
- Practice 1: Least privilege access to limit the impact if the protocol is compromised.
- Practice 2: Network segmentation to isolate critical control systems from untrusted networks.
4.5 Automation (Optional)
# Example PowerShell script to check for open port 502 on multiple devices
$devices = @("192.168.1.1", "192.168.1.2")
foreach ($device in $devices) {
if (Test-NetConnection -ComputerName $device -Port 502 -Quiet) {
Write-Host "Crimson protocol detected on $device"
} else {
Write-Host "Crimson protocol not detected on $device"
}
}
5. Verification / Validation
Confirm the fix by checking that the protocol is no longer accessible from outside the trusted network.
- Post-fix check: Run
netstat -an | grep 502again; port 502 should not be in a listening state, or only respond to allowed IPs. - Re-test: Re-run the Nessus scan (plugin ID 16879) and confirm it no longer reports the vulnerability.
- Smoke test: Verify that any legitimate applications still able to communicate with the PLC are functioning correctly.
- Monitoring: Monitor firewall logs for unexpected connections on port 502 as an example alert.
netstat -an | grep 5026. Preventive Measures and Monitoring
Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.
- Baselines: Update security baselines to include disabling unused protocols like Crimson.
- Pipelines: Implement configuration management tools to enforce secure settings across all PLCs.
- Asset and patch process: Establish a regular review cycle for PLC configurations to identify and address potential vulnerabilities.
7. Risks, Side Effects, and Roll Back
- Roll back: Restore the backed-up PLC configuration to revert any changes.
8. References and Resources
- Vendor advisory or bulletin: [https://www.redlion.net/support/crimson-protocol](https://www.redlion.net/support/crimson-protocol)
- NVD or CVE entry: No specific CVE is associated with this detection, but search for similar industrial control system vulnerabilities on the NVD website ([https://nvd.nist.gov/](https://nvd.nist.gov/)).
- Product or platform documentation relevant to the fix: [https://www.redlion.net/support/manuals-downloads](https://www.redlion.net/support/manuals-downloads)