Sign-up

ID

VAR-201910-0807


CVE

CVE-2019-14929


TITLE

Mitsubishi Electric ME-RTU  Device and  INEA ME-RTU  Vulnerability regarding information leakage from cache on device

Trust: 0.8

sources: JVNDB: JVNDB-2019-011334

DESCRIPTION

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service. Mitsubishi Electric ME-RTU Device and INEA ME-RTU The device contains a vulnerability related to information leakage from the cache.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Inea ME-RTU is an intelligent communication gateway product from Inea Company of Slovenia. Mitsubishi Electric smartRTU 2.02 and earlier versions and INEA ME-RTU 3.0 and earlier versions have password plaintext storage vulnerabilities. The vulnerability stems from programs storing passwords in plain text. Access to services

Trust: 2.43

sources: NVD: CVE-2019-14929 // JVNDB: JVNDB-2019-011334 // CNVD: CNVD-2019-47029 // IVD: 16ea448f-672e-476c-81df-4e13eb269ff5 // VULMON: CVE-2019-14929

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 16ea448f-672e-476c-81df-4e13eb269ff5 // CNVD: CNVD-2019-47029

AFFECTED PRODUCTS

vendor:mitsubishielectricmodel:smartrtuscope:lteversion:2.02

Trust: 1.0

vendor:ineamodel:me-rtuscope:lteversion:3.0

Trust: 1.0

vendor:inea d o omodel:me-rtuscope: - version: -

Trust: 0.8

vendor:三菱電機model:smartrtuscope: - version: -

Trust: 0.8

vendor:mitsubishimodel:electric mitsubishi electric smartrtuscope:lteversion:<=2.02

Trust: 0.6

vendor:ineamodel:me-rtuscope:lteversion:<=3.0

Trust: 0.6

vendor:smartrtumodel: - scope:eqversion:*

Trust: 0.2

vendor:me rtumodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 16ea448f-672e-476c-81df-4e13eb269ff5 // CNVD: CNVD-2019-47029 // JVNDB: JVNDB-2019-011334 // NVD: CVE-2019-14929

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-14929
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-14929
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2019-47029
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201910-1539
value: CRITICAL

Trust: 0.6

IVD: 16ea448f-672e-476c-81df-4e13eb269ff5
value: CRITICAL

Trust: 0.2

VULMON: CVE-2019-14929
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-14929
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-47029
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 16ea448f-672e-476c-81df-4e13eb269ff5
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-14929
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-14929
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 16ea448f-672e-476c-81df-4e13eb269ff5 // CNVD: CNVD-2019-47029 // VULMON: CVE-2019-14929 // JVNDB: JVNDB-2019-011334 // CNNVD: CNNVD-201910-1539 // NVD: CVE-2019-14929

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.0

problemtype:Inadequate protection of credentials (CWE-522) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2019-011334 // NVD: CVE-2019-14929

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1539

TYPE

other

Trust: 0.8

sources: IVD: 16ea448f-672e-476c-81df-4e13eb269ff5 // CNNVD: CNNVD-201910-1539

PATCH

title:ME RTU Mitsubishi Electric MITSUBISHI ELECTRIC AUTOMATIONurl:http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/

Trust: 0.8

sources: JVNDB: JVNDB-2019-011334

EXTERNAL IDS

db:NVDid:CVE-2019-14929

Trust: 3.3

db:ICS CERTid:ICSA-21-252-03

Trust: 1.4

db:CNVDid:CNVD-2019-47029

Trust: 0.8

db:CNNVDid:CNNVD-201910-1539

Trust: 0.8

db:JVNid:JVNVU93054759

Trust: 0.8

db:JVNDBid:JVNDB-2019-011334

Trust: 0.8

db:AUSCERTid:ESB-2021.3043

Trust: 0.6

db:IVDid:16EA448F-672E-476C-81DF-4E13EB269FF5

Trust: 0.2

db:VULMONid:CVE-2019-14929

Trust: 0.1

sources: IVD: 16ea448f-672e-476c-81df-4e13eb269ff5 // CNVD: CNVD-2019-47029 // VULMON: CVE-2019-14929 // JVNDB: JVNDB-2019-011334 // CNNVD: CNNVD-201910-1539 // NVD: CVE-2019-14929

REFERENCES

url:https://www.mogozobo.com/?p=3593

Trust: 3.1

url:https://www.mogozobo.com/

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-14929

Trust: 1.4

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03

Trust: 1.4

url:https://jvn.jp/vu/jvnvu93054759/

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2021.3043

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/522.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2019-47029 // VULMON: CVE-2019-14929 // JVNDB: JVNDB-2019-011334 // CNNVD: CNNVD-201910-1539 // NVD: CVE-2019-14929

CREDITS

Mark Cross (@xerubus) reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-201910-1539

SOURCES

db:IVDid:16ea448f-672e-476c-81df-4e13eb269ff5
db:CNVDid:CNVD-2019-47029
db:VULMONid:CVE-2019-14929
db:JVNDBid:JVNDB-2019-011334
db:CNNVDid:CNNVD-201910-1539
db:NVDid:CVE-2019-14929

LAST UPDATE DATE

2024-11-23T21:36:35.168000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-47029date:2019-12-26T00:00:00
db:VULMONid:CVE-2019-14929date:2019-10-30T00:00:00
db:JVNDBid:JVNDB-2019-011334date:2021-09-14T05:56:00
db:CNNVDid:CNNVD-201910-1539date:2021-09-10T00:00:00
db:NVDid:CVE-2019-14929date:2024-11-21T04:27:42.290

SOURCES RELEASE DATE

db:IVDid:16ea448f-672e-476c-81df-4e13eb269ff5date:2019-12-26T00:00:00
db:CNVDid:CNVD-2019-47029date:2019-12-30T00:00:00
db:VULMONid:CVE-2019-14929date:2019-10-28T00:00:00
db:JVNDBid:JVNDB-2019-011334date:2019-11-05T00:00:00
db:CNNVDid:CNNVD-201910-1539date:2019-10-28T00:00:00
db:NVDid:CVE-2019-14929date:2019-10-28T13:15:10.897