ICS Alert

Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A)

Last Revised
Alert Code
ICS-ALERT-19-225-01

Description

This updated alert is a follow-up to the original alert titled ICS-ALERT-19-225-01 Mitsubishi Electric smartRTU and INEA ME-RTU that was published August 13, 2019, on the ICS webpage on us-cert.gov. CISA is aware of a public report of a proof-of-concept (PoC) exploit code vulnerability affecting Mitsubishi Electric smartRTU devices. According to this report, there are multiple vulnerabilities that could result in remote code execution with root privileges. CISA is issuing this alert to provide early notice of the report.

1    EXECUTIVE SUMMARY

--------- Begin Update A ---------

CISA is aware of a public report of vulnerabilities with proof-of-concept (PoC) exploit code affecting Mitsubishi Electric Europe B.V. smartRTU (Versions 2.02 and prior) and INEA ME-RTU (Versions 3.0 and prior), remote terminal unit products. According to this report, there are multiple vulnerabilities that could be exploited to gain remote code execution with root privileges. CISA has notified Mitsubishi Electric Europe B.V. of the report and has asked them to confirm the vulnerabilities and identify mitigations. CISA is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

--------- End Update A ---------

The report included vulnerability details and PoC exploit code for the following vulnerabilities:

Vulnerability Type Exploitable Remotely Impact
OS command injection Yes Possible remote code execution with admin privileges 
Improper access control Yes Possible remote code execution with admin privileges 
Stored cross-site scripting Yes Possible to run arbitrary code on the client target system
Hard-coded cryptographic keys Yes Possible unauthorized access/disclosure of encrypted data
Hard-coded credentials Yes Possible unauthorized access/execution of admin commands
Plaintext password storage Yes Possible disclosure of usernames and plaintext passwords
Incorrect default permissions No Possible disclosure of usernames and plaintext passwords by a logged in user

 

Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution with root privileges.Please report any issues affecting control systems in critical infrastructure environments to CISA.

Researcher with the handle Xerubus reported these vulnerabilities to CISA. Researcher followed a 45-day disclosure policy. 

Researcher’s PoC and report have been published at the following link: https://www.mogozobo.com/?p=3593

2    MITIGATIONS

CISA is currently coordinating with the vendor and security researcher to identify mitigations.

Researcher has recommended the following workaround mitigations until an official fix is available:

  • Ensure devices have appropriate controls to protect the devices from unauthorized network access.
  • Ensure the devices are not exposed or accessible from the Internet.
  • Ensure devices are not exposed or accessible from the corporate or other untrusted networks.
  • Initiate change control and test processes once patches are released by the vendor.  If unable to patch, ensure appropriate controls and logging capability are in place for vulnerable devices.

CISA recommends: 

  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Mitsubishi Electric