// For flags

CVE-2019-10990

Red Lion Crimson Hard-coded Cryptographic Key Information Disclosure Vulnerability

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.

Red Lion Controls Crimson, versión 3.0 y anterior y versión 3.1 anterior a la publicación 3112.00, utiliza una contraseña embebida para encriptar archivos protegidos en tránsito y en reposo, lo que puede permitir a un atacante acceder a los archivos de configuración.

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Red Lion Crimson. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the CTextStreamMemory class. The class contains hard-coded secrets in clear text. An attacker can leverage this to decrypt user passwords.

*Credits: Michael DePlante, Anthony Fuller and Todd Manning of Trend Micro Zero Day Initiative/Trend Micro Research
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-04-08 CVE Reserved
  • 2019-09-05 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-798: Use of Hard-coded Credentials
CAPEC
References (1)
URL Tag Source
https://www.us-cert.gov/ics/advisories/icsa-19-248-01 Mitigation
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redlion
Search vendor "Redlion"
 Crimson
Search vendor "Redlion" for product "Crimson"
 <= 3.0
Search vendor "Redlion" for product "Crimson" and version " <= 3.0"
-
Affected
Redlion
Search vendor "Redlion"
 Crimson
Search vendor "Redlion" for product "Crimson"
 >= 3.1 < 3112.00
Search vendor "Redlion" for product "Crimson" and version " >= 3.1 < 3112.00"
-
Affected