CVE-2022-3090: 
NixOS vulnerability analysis and mitigation

Red Lion Controls Crimson software versions 3.0 (707.000 and prior), 3.1 (3126.001 and prior), and 3.2 (3.2.0044.0 and prior) are affected by a path traversal vulnerability identified as CVE-2022-3090. The vulnerability was discovered by Dragos and reported to Red Lion Controls, who subsequently reported it to CISA. This programming software is used for various controllers, HMIs, and modules across multiple critical infrastructure sectors worldwide (CISA Advisory).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability, identified as CWE-22. When attempting to open a file using a specific path, the user's password hash is sent to an arbitrary host. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating it is network accessible with low attack complexity and requires no privileges or user interaction (CISA Advisory).

Successful exploitation of this vulnerability could allow an attacker to obtain user credential hashes, potentially compromising system security. The vulnerability affects systems deployed worldwide across multiple critical infrastructure sectors (CISA Advisory).

Red Lion Controls has released patched versions and recommends updating to Crimson 3.0 version 711.00, Crimson 3.1 version 3126.02, or Crimson 3.2 version 3.0045 or later. Additional recommendations include avoiding opening files from outside the organization and verifying files come from trusted sources. CISA recommends minimizing network exposure for control system devices, isolating control system networks behind firewalls, and using secure methods like VPNs for remote access (CISA Advisory).