Details of VAR-201910-0803

ID

VAR-201910-0803

CVE

CVE-2019-14925

TITLE

Mitsubishi Electric ME-RTU Device and INEA ME-RTU Vulnerability in improper default permissions on device

Trust: 0.8

sources: JVNDB: JVNDB-2019-011341

DESCRIPTION

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment. Mitsubishi Electric ME-RTU Device and INEA ME-RTU A device contains a vulnerability regarding improper default permissions.Information may be obtained. Inea ME-RTU is an intelligent communication gateway product of Inea, Slovenia. There are security vulnerabilities in Mitsubishi Electric smartRTU 2.02 and earlier versions and INEA ME-RTU 3.0 and earlier versions. The vulnerabilities stem from the program assigning global readable permissions to the /usr/smartrtu/init/settings.xml file on the file system

Trust: 2.16

sources: NVD: CVE-2019-14925 // JVNDB: JVNDB-2019-011341 // CNVD: CNVD-2020-49319

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-49319

AFFECTED PRODUCTS

vendor:	mitsubishielectric	model:	smartrtu	scope:	lte	version:	2.02	Trust: 1.0
vendor:	inea	model:	me-rtu	scope:	lte	version:	3.0	Trust: 1.0
vendor:	inea d o o	model:	me-rtu	scope:	-	version:	-	Trust: 0.8
vendor:	三菱電機	model:	smartrtu	scope:	-	version:	-	Trust: 0.8
vendor:	mitsubishi	model:	electric inea me-rtu	scope:	lte	version:	<=3.0	Trust: 0.6
vendor:	mitsubishi	model:	electric smartrtu	scope:	lte	version:	<=2.02	Trust: 0.6

sources: CNVD: CNVD-2020-49319 // JVNDB: JVNDB-2019-011341 // NVD: CVE-2019-14925

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-14925
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-14925
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-49319
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-1533
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2019-14925
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-49319
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-14925
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-14925
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-49319 // JVNDB: JVNDB-2019-011341 // CNNVD: CNNVD-201910-1533 // NVD: CVE-2019-14925

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.0
problemtype:	Inappropriate default permissions (CWE-276) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-011341 // NVD: CVE-2019-14925

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1533

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201910-1533

PATCH

title:

ME RTU Mitsubishi Electric MITSUBISHI ELECTRIC AUTOMATION

url:

http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/

Trust: 0.8

sources: JVNDB: JVNDB-2019-011341

EXTERNAL IDS

db:	NVD	id:	CVE-2019-14925	Trust: 3.0
db:	ICS CERT	id:	ICSA-21-252-03	Trust: 1.4
db:	JVN	id:	JVNVU93054759	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011341	Trust: 0.8
db:	CNVD	id:	CNVD-2020-49319	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3043	Trust: 0.6
db:	CNNVD	id:	CNNVD-201910-1533	Trust: 0.6

sources: CNVD: CNVD-2020-49319 // JVNDB: JVNDB-2019-011341 // CNNVD: CNNVD-201910-1533 // NVD: CVE-2019-14925

REFERENCES

url:	https://www.mogozobo.com/?p=3593	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14925	Trust: 2.0
url:	https://www.mogozobo.com/	Trust: 1.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu93054759/	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3043	Trust: 0.6

sources: CNVD: CNVD-2020-49319 // JVNDB: JVNDB-2019-011341 // CNNVD: CNNVD-201910-1533 // NVD: CVE-2019-14925

CREDITS

Mark Cross (@xerubus) reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-201910-1533

SOURCES

db:	CNVD	id:	CNVD-2020-49319
db:	JVNDB	id:	JVNDB-2019-011341
db:	CNNVD	id:	CNNVD-201910-1533
db:	NVD	id:	CVE-2019-14925

LAST UPDATE DATE

2024-11-23T21:36:35.203000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-49319	date:	2021-02-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-011341	date:	2021-09-14T05:58:00
db:	CNNVD	id:	CNNVD-201910-1533	date:	2021-09-10T00:00:00
db:	NVD	id:	CVE-2019-14925	date:	2024-11-21T04:27:41.697

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-49319	date:	2020-08-29T00:00:00
db:	JVNDB	id:	JVNDB-2019-011341	date:	2019-11-05T00:00:00
db:	CNNVD	id:	CNNVD-201910-1533	date:	2019-10-28T00:00:00
db:	NVD	id:	CVE-2019-14925	date:	2019-10-28T13:15:10.600