Details of VAR-201910-0808

ID

VAR-201910-0808

CVE

CVE-2019-14930

TITLE

Mitsubishi Electric ME-RTU Device and INEA ME-RTU Vulnerability in using hard-coded credentials on devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-011333

DESCRIPTION

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint could allow an attacker to gain unauthorised access to the RTU. (Also, the accounts ineaadmin and mitsadmin are able to escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.). Mitsubishi Electric ME-RTU Device and INEA ME-RTU A device contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Inea ME-RTU is an intelligent communication gateway product from Inea Company of Slovenia. The vulnerability originates from a program with an undocumented account (using hard-coded credentials). An attacker could exploit this vulnerability to Elevated to root

Trust: 2.34

sources: NVD: CVE-2019-14930 // JVNDB: JVNDB-2019-011333 // CNVD: CNVD-2019-47031 // IVD: 5d9e3906-45af-46cf-8eb3-1db53e8e8b48

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 5d9e3906-45af-46cf-8eb3-1db53e8e8b48 // CNVD: CNVD-2019-47031

AFFECTED PRODUCTS

vendor:	mitsubishielectric	model:	smartrtu	scope:	lte	version:	2.02	Trust: 1.0
vendor:	inea	model:	me-rtu	scope:	lte	version:	3.0	Trust: 1.0
vendor:	inea d o o	model:	me-rtu	scope:	-	version:	-	Trust: 0.8
vendor:	三菱電機	model:	smartrtu	scope:	-	version:	-	Trust: 0.8
vendor:	mitsubishi	model:	electric mitsubishi electric smartrtu	scope:	lte	version:	<=2.02	Trust: 0.6
vendor:	inea	model:	me-rtu	scope:	lte	version:	<=3.0	Trust: 0.6
vendor:	smartrtu	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	me rtu	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 5d9e3906-45af-46cf-8eb3-1db53e8e8b48 // CNVD: CNVD-2019-47031 // JVNDB: JVNDB-2019-011333 // NVD: CVE-2019-14930

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-14930
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-14930
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-47031
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201910-1541
value:	CRITICAL
Trust: 0.6
IVD:	5d9e3906-45af-46cf-8eb3-1db53e8e8b48
value:	CRITICAL
Trust: 0.2

nvd@nist.gov:	CVE-2019-14930
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-47031
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	5d9e3906-45af-46cf-8eb3-1db53e8e8b48
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-14930
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-14930
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 5d9e3906-45af-46cf-8eb3-1db53e8e8b48 // CNVD: CNVD-2019-47031 // JVNDB: JVNDB-2019-011333 // CNNVD: CNNVD-201910-1541 // NVD: CVE-2019-14930

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.0
problemtype:	Using hardcoded credentials (CWE-798) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-011333 // NVD: CVE-2019-14930

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1541

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201910-1541

PATCH

title:

ME RTU Mitsubishi Electric MITSUBISHI ELECTRIC AUTOMATION

url:

http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/

Trust: 0.8

sources: JVNDB: JVNDB-2019-011333

EXTERNAL IDS

db:	NVD	id:	CVE-2019-14930	Trust: 3.2
db:	ICS CERT	id:	ICSA-21-252-03	Trust: 1.4
db:	CNVD	id:	CNVD-2019-47031	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-1541	Trust: 0.8
db:	JVN	id:	JVNVU93054759	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011333	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.3043	Trust: 0.6
db:	IVD	id:	5D9E3906-45AF-46CF-8EB3-1DB53E8E8B48	Trust: 0.2

sources: IVD: 5d9e3906-45af-46cf-8eb3-1db53e8e8b48 // CNVD: CNVD-2019-47031 // JVNDB: JVNDB-2019-011333 // CNNVD: CNNVD-201910-1541 // NVD: CVE-2019-14930

REFERENCES

url:	https://www.mogozobo.com/?p=3593	Trust: 3.0
url:	https://www.mogozobo.com/	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14930	Trust: 1.4
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu93054759/	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3043	Trust: 0.6

sources: CNVD: CNVD-2019-47031 // JVNDB: JVNDB-2019-011333 // CNNVD: CNNVD-201910-1541 // NVD: CVE-2019-14930

CREDITS

Mark Cross (@xerubus) reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-201910-1541

SOURCES

db:	IVD	id:	5d9e3906-45af-46cf-8eb3-1db53e8e8b48
db:	CNVD	id:	CNVD-2019-47031
db:	JVNDB	id:	JVNDB-2019-011333
db:	CNNVD	id:	CNNVD-201910-1541
db:	NVD	id:	CVE-2019-14930

LAST UPDATE DATE

2024-11-23T21:36:35.230000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-47031	date:	2019-12-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-011333	date:	2021-09-14T05:56:00
db:	CNNVD	id:	CNNVD-201910-1541	date:	2021-09-10T00:00:00
db:	NVD	id:	CVE-2019-14930	date:	2024-11-21T04:27:42.437

SOURCES RELEASE DATE

db:	IVD	id:	5d9e3906-45af-46cf-8eb3-1db53e8e8b48	date:	2019-12-26T00:00:00
db:	CNVD	id:	CNVD-2019-47031	date:	2019-12-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-011333	date:	2019-11-05T00:00:00
db:	CNNVD	id:	CNNVD-201910-1541	date:	2019-10-28T00:00:00
db:	NVD	id:	CVE-2019-14930	date:	2019-10-28T13:15:10.993