CVE-2022-26516
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Summary
Authorized users may install a maliciously modified package file when updating the device via the web user interface. The user may inadvertently use a package file obtained from an unauthorized source or a file that was compromised between download and deployment.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Lion | DA50N | All | affected |
Weaknesses
- CWE-345: CWE-345 Insufficient Verification of Data Authenticity
Workarounds
Red Lion notes the DA50N series product is at end-of-life and does not intend to release a software update to address these vulnerabilities. Users are encouraged to apply workarounds and mitigations or upgrade their device to DA50A and DA70A.
Red Lion has provided the following workarounds to help mitigate the risk of these vulnerabilities:
Do not install image files that are obtained from sources other than the official Red Lion website. When downloading images from Red Lion’s website, ensure the validity of the server’s TLS certificate. If package files or images are to be stored before deployment, ensure they are stored in a secure manner. Minimize the risk of unauthorized installation via SD card by limiting physical access to the device. Ensure the default UI password is changed to one meeting standard security practices. Change the admin, rlcuser and techsup account passwords from their default values. Disable the SSH service and keep the telnet service disabled if they are not required. Do not re‐use the same password for securing multiple resources. Limit access to configuration files that contain valuable credentials. Ensure the use of secure credentials when configuring optional services. Enable only the minimum set of optional services required for the application.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.