Severity

High

Analysis Summary

CVE-2019-14925

The affected products store and reads configuration settings from a file that has insecure world-readable permissions assigned. This could allow all users on the system to read the configuration file containing usernames and plain text password combinations, as well as other sensitive configuration information of the RTU.

CVE-2019-14926

Hard-coded SSH keys have been identified in the affected product’s firmware. As the secure keys cannot be regenerated by a user and are not regenerated on firmware updates, all deployed affected products utilize the same SSH keys.

CVE-2019-14927

It is possible to download the affected product’s configuration file, which contains sensitive data, through the URL.

CVE-2019-14928

The affected product’s web configuration software allows an authenticated user to inject malicious data into the application that can then be executed in a victim’s browser, allowing stored cross-site scripting.

CVE-2019-14929

The affected products store password credentials in plain text in a configuration file. An unauthenticated user can obtain the exposed password credentials to gain access to the specific services.

CVE-2019-14930

The affected products contain undocumented user accounts with hard-coded password credentials. An attacker could exploit this vulnerability by using the accounts to login to affected RTU’s.

CVE-2019-14931

The affected product allows an attacker to execute arbitrary commands due to the passing of unsafe user-supplied data to the system shell.

Impact

• Unauthorized Access
• Code Execution
• Credential Theft
• Cross-site Scripting

Affected Vendors

Mitsubishi Electric

Affected Products

• smartRTU and INEA ME-RTU: All firmware versions prior to Version 3.3

Remediation

Refer to ICS Advisory for the patch, upgrade, or suggested workaround information.