CVE-2019-14931 - OpenCVE

An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Inea	Me-rtu Me-rtu Firmware
Mitsubishielectric	Smartrtu Smartrtu Firmware

Configuration 1 [-]

AND

cpe:2.3:o:mitsubishielectric:smartrtu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:smartrtu:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:inea:me-rtu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:inea:me-rtu:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.mogozobo.com/	Third Party Advisory
https://www.mogozobo.com/?p=3593	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-10-28T12:07:23

Updated: 2019-10-28T12:07:31

Reserved: 2019-08-10T00:00:00

Link: CVE-2019-14931

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-10-28T13:15:11.053

Modified: 2019-10-30T17:49:37.080

Link: CVE-2019-14931

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-28T12:07:31", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mogozobo.com/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mogozobo.com/?p=3593"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14931", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.mogozobo.com/", "refsource": "MISC", "url": "https://www.mogozobo.com/"}, {"name": "https://www.mogozobo.com/?p=3593", "refsource": "MISC", "url": "https://www.mogozobo.com/?p=3593"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14931", "datePublished": "2019-10-28T12:07:23", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2019-10-28T12:07:31", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:smartrtu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "62D6CAA7-11E1-4DF2-A9BD-EC71AE7CD166", "versionEndIncluding": "2.02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:smartrtu:-:*:*:*:*:*:*:*", "matchCriteriaId": "1EF90DA0-55C7-4765-9DEE-80145752961D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:inea:me-rtu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDC6C049-B15B-4FC2-9DDF-915381E6D114", "versionEndIncluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:inea:me-rtu:-:*:*:*:*:*:*:*", "matchCriteriaId": "FD7F8299-4A9C-4B93-A35A-68C6D43855CC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta las versi\u00f3n 2.02 y los dispositivos INEA ME-RTU versiones hasta la versi\u00f3n 3.0. Una vulnerabilidad de inyecci\u00f3n de comandos de Sistema Operativo remota no autenticada permite a un atacante ejecutar comandos arbitrarios en la RTU debido al paso de datos no seguros suministrados por el usuario hacia el shell del sistema de la RTU. Una funcionalidad en el archivo mobile.php provee a usuarios la capacidad de hacer ping a sitios o direcciones IP por medio de Mobile Connection Test. Cuando la Mobile Connection Test es enviada, se llama al archivo action.php para ejecutar la prueba. Un atacante puede utilizar un separador de comandos de shell (;) en la variable del host para ejecutar comandos del sistema operativo sobre el env\u00edo de los datos de prueba."}], "id": "CVE-2019-14931", "lastModified": "2019-10-30T17:49:37.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-28T13:15:11.053", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.mogozobo.com/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.mogozobo.com/?p=3593"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}