Details of VAR-201910-0804

ID

VAR-201910-0804

CVE

CVE-2019-14926

TITLE

Mitsubishi Electric smartRTU and Inea ME-RTU Trust Management Issue Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-39934 // CNNVD: CNNVD-201910-1543

DESCRIPTION

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites. Mitsubishi Electric ME-RTU Device and INEA ME-RTU A device contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Inea ME-RTU is an intelligent communication gateway product from Inea Company of Slovenia. Mitsubishi Electric smartRTU 2.02 and earlier versions and INEA ME-RTU 3.0 and earlier versions have a trust management issue vulnerability that originates from the device in / etc / ssh / ssh_host_rsa_key, / etc / ssh / ssh_host_ecdsa_key, and / etc / ssh / ssh_host_dsa_key The private key value in can be accessed through the manufacturer's website, and an attacker could use this vulnerability to gain unauthorized access or leak encrypted information

Trust: 2.34

sources: NVD: CVE-2019-14926 // JVNDB: JVNDB-2019-011340 // CNVD: CNVD-2019-39934 // IVD: 00190957-34d4-4cf5-abe3-678c1536f5dd

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 00190957-34d4-4cf5-abe3-678c1536f5dd // CNVD: CNVD-2019-39934

AFFECTED PRODUCTS

vendor:	mitsubishielectric	model:	smartrtu	scope:	lte	version:	2.02	Trust: 1.0
vendor:	inea	model:	me-rtu	scope:	lte	version:	3.0	Trust: 1.0
vendor:	inea d o o	model:	me-rtu	scope:	-	version:	-	Trust: 0.8
vendor:	三菱電機	model:	smartrtu	scope:	-	version:	-	Trust: 0.8
vendor:	mitsubishi	model:	electric inea me-rtu	scope:	lte	version:	<=3.0	Trust: 0.6
vendor:	mitsubishi	model:	electric mitsubishi electric smartrtu	scope:	lte	version:	<=2.02	Trust: 0.6
vendor:	smartrtu	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	me rtu	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 00190957-34d4-4cf5-abe3-678c1536f5dd // CNVD: CNVD-2019-39934 // JVNDB: JVNDB-2019-011340 // NVD: CVE-2019-14926

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-14926
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-14926
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-39934
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201910-1543
value:	CRITICAL
Trust: 0.6
IVD:	00190957-34d4-4cf5-abe3-678c1536f5dd
value:	CRITICAL
Trust: 0.2

nvd@nist.gov:	CVE-2019-14926
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-39934
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	00190957-34d4-4cf5-abe3-678c1536f5dd
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-14926
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-14926
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 00190957-34d4-4cf5-abe3-678c1536f5dd // CNVD: CNVD-2019-39934 // JVNDB: JVNDB-2019-011340 // CNNVD: CNNVD-201910-1543 // NVD: CVE-2019-14926

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.0
problemtype:	Using hardcoded credentials (CWE-798) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-011340 // NVD: CVE-2019-14926

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1543

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201910-1543

PATCH

title:

ME RTU Mitsubishi Electric MITSUBISHI ELECTRIC AUTOMATION

url:

http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/

Trust: 0.8

sources: JVNDB: JVNDB-2019-011340

EXTERNAL IDS

db:	NVD	id:	CVE-2019-14926	Trust: 3.2
db:	ICS CERT	id:	ICSA-21-252-03	Trust: 1.4
db:	CNVD	id:	CNVD-2019-39934	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-1543	Trust: 0.8
db:	JVN	id:	JVNVU93054759	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011340	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.3043	Trust: 0.6
db:	IVD	id:	00190957-34D4-4CF5-ABE3-678C1536F5DD	Trust: 0.2

sources: IVD: 00190957-34d4-4cf5-abe3-678c1536f5dd // CNVD: CNVD-2019-39934 // JVNDB: JVNDB-2019-011340 // CNNVD: CNNVD-201910-1543 // NVD: CVE-2019-14926

REFERENCES

url:	https://www.mogozobo.com/?p=3593	Trust: 3.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14926	Trust: 2.0
url:	https://www.mogozobo.com/	Trust: 1.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu93054759/	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3043	Trust: 0.6

sources: CNVD: CNVD-2019-39934 // JVNDB: JVNDB-2019-011340 // CNNVD: CNNVD-201910-1543 // NVD: CVE-2019-14926

CREDITS

Mark Cross (@xerubus) reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-201910-1543

SOURCES

db:	IVD	id:	00190957-34d4-4cf5-abe3-678c1536f5dd
db:	CNVD	id:	CNVD-2019-39934
db:	JVNDB	id:	JVNDB-2019-011340
db:	CNNVD	id:	CNNVD-201910-1543
db:	NVD	id:	CVE-2019-14926

LAST UPDATE DATE

2024-11-23T21:36:35.109000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-39934	date:	2019-11-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-011340	date:	2021-09-14T05:54:00
db:	CNNVD	id:	CNNVD-201910-1543	date:	2021-09-10T00:00:00
db:	NVD	id:	CVE-2019-14926	date:	2024-11-21T04:27:41.853

SOURCES RELEASE DATE

db:	IVD	id:	00190957-34d4-4cf5-abe3-678c1536f5dd	date:	2019-11-11T00:00:00
db:	CNVD	id:	CNVD-2019-39934	date:	2019-11-11T00:00:00
db:	JVNDB	id:	JVNDB-2019-011340	date:	2019-11-05T00:00:00
db:	CNNVD	id:	CNNVD-201910-1543	date:	2019-10-28T00:00:00
db:	NVD	id:	CVE-2019-14926	date:	2019-10-28T13:15:10.697