VAR-201910-0804
Vulnerability from variot - Updated: 2023-12-18 12:50An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites. Mitsubishi Electric ME-RTU Device and INEA ME-RTU A device contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Inea ME-RTU is an intelligent communication gateway product from Inea Company of Slovenia.
Mitsubishi Electric smartRTU 2.02 and earlier versions and INEA ME-RTU 3.0 and earlier versions have a trust management issue vulnerability that originates from the device in / etc / ssh / ssh_host_rsa_key, / etc / ssh / ssh_host_ecdsa_key, and / etc / ssh / ssh_host_dsa_key The private key value in can be accessed through the manufacturer's website, and an attacker could use this vulnerability to gain unauthorized access or leak encrypted information
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201910-0804",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "me-rtu",
"scope": "lte",
"trust": 1.0,
"vendor": "inea",
"version": "3.0"
},
{
"model": "smartrtu",
"scope": "lte",
"trust": 1.0,
"vendor": "mitsubishielectric",
"version": "2.02"
},
{
"model": "me-rtu",
"scope": null,
"trust": 0.8,
"vendor": "inea d o o",
"version": null
},
{
"model": "smartrtu",
"scope": null,
"trust": 0.8,
"vendor": "\u4e09\u83f1\u96fb\u6a5f",
"version": null
},
{
"model": "electric inea me-rtu",
"scope": "lte",
"trust": 0.6,
"vendor": "mitsubishi",
"version": "\u003c=3.0"
},
{
"model": "electric mitsubishi electric smartrtu",
"scope": "lte",
"trust": 0.6,
"vendor": "mitsubishi",
"version": "\u003c=2.02"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "smartrtu",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "me rtu",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd"
},
{
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"db": "NVD",
"id": "CVE-2019-14926"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:mitsubishielectric:smartrtu_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:mitsubishielectric:smartrtu:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:inea:me-rtu_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:inea:me-rtu:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14926"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mark Cross (@xerubus) reported these vulnerabilities to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
],
"trust": 0.6
},
"cve": "CVE-2019-14926",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2019-14926",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-39934",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-14926",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-14926",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2019-39934",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201910-1543",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd",
"trust": 0.2,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd"
},
{
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"db": "NVD",
"id": "CVE-2019-14926"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites. Mitsubishi Electric ME-RTU Device and INEA ME-RTU A device contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Inea ME-RTU is an intelligent communication gateway product from Inea Company of Slovenia. \n\nMitsubishi Electric smartRTU 2.02 and earlier versions and INEA ME-RTU 3.0 and earlier versions have a trust management issue vulnerability that originates from the device in / etc / ssh / ssh_host_rsa_key, / etc / ssh / ssh_host_ecdsa_key, and / etc / ssh / ssh_host_dsa_key The private key value in can be accessed through the manufacturer\u0027s website, and an attacker could use this vulnerability to gain unauthorized access or leak encrypted information",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14926"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"db": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-14926",
"trust": 3.2
},
{
"db": "ICS CERT",
"id": "ICSA-21-252-03",
"trust": 1.4
},
{
"db": "CNVD",
"id": "CNVD-2019-39934",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1543",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU93054759",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011340",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2021.3043",
"trust": 0.6
},
{
"db": "IVD",
"id": "00190957-34D4-4CF5-ABE3-678C1536F5DD",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd"
},
{
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"db": "NVD",
"id": "CVE-2019-14926"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
]
},
"id": "VAR-201910-0804",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd"
},
{
"db": "CNVD",
"id": "CNVD-2019-39934"
}
],
"trust": 1.6627451
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
},
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd"
},
{
"db": "CNVD",
"id": "CNVD-2019-39934"
}
]
},
"last_update_date": "2023-12-18T12:50:01.387000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ME\u00a0RTU Mitsubishi Electric MITSUBISHI\u00a0ELECTRIC\u00a0AUTOMATION",
"trust": 0.8,
"url": "http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-011340"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-798",
"trust": 1.0
},
{
"problemtype": "Using hardcoded credentials (CWE-798) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"db": "NVD",
"id": "CVE-2019-14926"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "https://www.mogozobo.com/?p=3593"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14926"
},
{
"trust": 1.6,
"url": "https://www.mogozobo.com/"
},
{
"trust": 1.4,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu93054759/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3043"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"db": "NVD",
"id": "CVE-2019-14926"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd"
},
{
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"db": "NVD",
"id": "CVE-2019-14926"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-11-11T00:00:00",
"db": "IVD",
"id": "00190957-34d4-4cf5-abe3-678c1536f5dd"
},
{
"date": "2019-11-11T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"date": "2019-11-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"date": "2019-10-28T13:15:10.697000",
"db": "NVD",
"id": "CVE-2019-14926"
},
{
"date": "2019-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-11-11T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"date": "2021-09-14T05:54:00",
"db": "JVNDB",
"id": "JVNDB-2019-011340"
},
{
"date": "2019-10-30T18:04:46.323000",
"db": "NVD",
"id": "CVE-2019-14926"
},
{
"date": "2021-09-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mitsubishi Electric smartRTU and Inea ME-RTU Trust Management Issue Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39934"
},
{
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201910-1543"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…