There is a public report of vulnerabilities with proof-of-concept (PoC) exploit code affecting Mitsubishi Electric smartRTU (Versions 2.02 and prior) and INEA ME-RTU (Versions 3.0 and prior), remote terminal unit products, according to a report with CISA.
There are multiple vulnerabilities that could be exploited to gain remote code execution with root privileges, the report said.
CISA notified Mitsubishi Electric of the report and has asked them to confirm the vulnerabilities and identify mitigations. CISA issued an alert to provide early notice and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
The following vulnerabilities are remotely exploitable except the incorrect default permission issue:
• OS command injection, which could lead to possible remote code execution with admin privileges
• Improper access control, which could lead to possible remote code execution with admin privileges
• Stored cross-site scripting, which could lead to possible to run arbitrary code on the client target system, remotely exploitable
• Hard-coded cryptographic keys, which could lead to possible unauthorized access/disclosure of encrypted data
• Hard-coded credentials , which could lead to possible unauthorized access/execution of admin commands
• Plaintext password storage, which could lead to possible disclosure of usernames and plaintext passwords
• Incorrect default permissions, which could lead to possible disclosure of usernames and plaintext passwords by a logged in user, not remotely exploitable
Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution with root privileges.
Researcher with the handle Xerubus reported these vulnerabilities to CISA. Click here to view the PoC and report.
CISA is currently coordinating with the vendor and security researcher to identify mitigations.
Xerubus recommended the following workaround mitigations until an official fix is available:
• Ensure devices have appropriate controls to protect the devices from unauthorized network access.
• Ensure the devices are not exposed or accessible from the Internet.
• Ensure devices are not exposed or accessible from the corporate or other untrusted networks.
• Initiate change control and test processes once patches are released by the vendor. If unable to patch, ensure appropriate controls and logging capability are in place for vulnerable devices.