Sign-up

ID

VAR-201910-0809


CVE

CVE-2019-14931


TITLE

Mitsubishi Electric smartRTU and Inea ME-RTU operating system command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-47030 // CNNVD: CNNVD-201910-1535

DESCRIPTION

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data. Mitsubishi Electric ME-RTU Device and INEA ME-RTU The device has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Inea ME-RTU is an intelligent communication gateway product from Inea Company of Slovenia

Trust: 2.34

sources: NVD: CVE-2019-14931 // JVNDB: JVNDB-2019-011332 // CNVD: CNVD-2019-47030 // IVD: f02890ea-3539-428b-8fd0-c4d3f5bcf918

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: f02890ea-3539-428b-8fd0-c4d3f5bcf918 // CNVD: CNVD-2019-47030

AFFECTED PRODUCTS

vendor:mitsubishielectricmodel:smartrtuscope:lteversion:2.02

Trust: 1.0

vendor:ineamodel:me-rtuscope:lteversion:3.0

Trust: 1.0

vendor:inea d o omodel:me-rtuscope: - version: -

Trust: 0.8

vendor:三菱電機model:smartrtuscope: - version: -

Trust: 0.8

vendor:mitsubishimodel:electric mitsubishi electric smartrtuscope:lteversion:<=2.02

Trust: 0.6

vendor:smartrtumodel: - scope:eqversion:*

Trust: 0.2

vendor:me rtumodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: f02890ea-3539-428b-8fd0-c4d3f5bcf918 // CNVD: CNVD-2019-47030 // JVNDB: JVNDB-2019-011332 // NVD: CVE-2019-14931

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-14931
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-14931
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2019-47030
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201910-1535
value: CRITICAL

Trust: 0.6

IVD: f02890ea-3539-428b-8fd0-c4d3f5bcf918
value: CRITICAL

Trust: 0.2

nvd@nist.gov: CVE-2019-14931
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-47030
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: f02890ea-3539-428b-8fd0-c4d3f5bcf918
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-14931
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-14931
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: f02890ea-3539-428b-8fd0-c4d3f5bcf918 // CNVD: CNVD-2019-47030 // JVNDB: JVNDB-2019-011332 // CNNVD: CNNVD-201910-1535 // NVD: CVE-2019-14931

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2019-011332 // NVD: CVE-2019-14931

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1535

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201910-1535

PATCH

title:ME RTU Mitsubishi Electric MITSUBISHI ELECTRIC AUTOMATIONurl:http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/

Trust: 0.8

sources: JVNDB: JVNDB-2019-011332

EXTERNAL IDS

db:NVDid:CVE-2019-14931

Trust: 3.2

db:ICS CERTid:ICSA-21-252-03

Trust: 1.4

db:CNVDid:CNVD-2019-47030

Trust: 0.8

db:CNNVDid:CNNVD-201910-1535

Trust: 0.8

db:JVNid:JVNVU93054759

Trust: 0.8

db:JVNDBid:JVNDB-2019-011332

Trust: 0.8

db:CXSECURITYid:WLB-2019080056

Trust: 0.6

db:AUSCERTid:ESB-2021.3043

Trust: 0.6

db:IVDid:F02890EA-3539-428B-8FD0-C4D3F5BCF918

Trust: 0.2

sources: IVD: f02890ea-3539-428b-8fd0-c4d3f5bcf918 // CNVD: CNVD-2019-47030 // JVNDB: JVNDB-2019-011332 // CNNVD: CNNVD-201910-1535 // NVD: CVE-2019-14931

REFERENCES

url:https://www.mogozobo.com/?p=3593

Trust: 2.4

url:https://www.mogozobo.com/

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-14931

Trust: 1.4

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03

Trust: 1.4

url:https://jvn.jp/vu/jvnvu93054759/

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14931

Trust: 0.6

url:https://cxsecurity.com/issue/wlb-2019080056

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3043

Trust: 0.6

sources: CNVD: CNVD-2019-47030 // JVNDB: JVNDB-2019-011332 // CNNVD: CNNVD-201910-1535 // NVD: CVE-2019-14931

CREDITS

Mark Cross (@xerubus) reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-201910-1535

SOURCES

db:IVDid:f02890ea-3539-428b-8fd0-c4d3f5bcf918
db:CNVDid:CNVD-2019-47030
db:JVNDBid:JVNDB-2019-011332
db:CNNVDid:CNNVD-201910-1535
db:NVDid:CVE-2019-14931

LAST UPDATE DATE

2024-11-23T21:36:35.261000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-47030date:2019-12-26T00:00:00
db:JVNDBid:JVNDB-2019-011332date:2021-09-14T05:47:00
db:CNNVDid:CNNVD-201910-1535date:2021-09-10T00:00:00
db:NVDid:CVE-2019-14931date:2024-11-21T04:27:42.573

SOURCES RELEASE DATE

db:IVDid:f02890ea-3539-428b-8fd0-c4d3f5bcf918date:2019-12-26T00:00:00
db:CNVDid:CNVD-2019-47030date:2019-12-26T00:00:00
db:JVNDBid:JVNDB-2019-011332date:2019-11-05T00:00:00
db:CNNVDid:CNNVD-201910-1535date:2019-10-28T00:00:00
db:NVDid:CVE-2019-14931date:2019-10-28T13:15:11.053