CVE-2019-14929

An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service.

CVSS v3 9.8 CRITICAL
CVSS v2.0 5.0 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.mogozobo.com/	Third Party Advisory
https://www.mogozobo.com/?p=3593	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:mitsubishielectric:smartrtu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:smartrtu:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:inea:me-rtu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:inea:me-rtu:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-10-28 13:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-14929

Mitre link : CVE-2019-14929

CVE.ORG link : CVE-2019-14929

JSON object : View

Products Affected

inea

me-rtu_firmware
me-rtu

mitsubishielectric

smartrtu
smartrtu_firmware

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2019-14929", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-10-28T13:15:10.897", "references": [{"url": "https://www.mogozobo.com/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.mogozobo.com/?p=3593", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta 2.02 y los dispositivos INEA ME-RTU versiones hasta 3.0. Las contrase\u00f1as de texto sin cifrar almacenadas podr\u00edan permitir a un atacante no autenticado obtener combinaciones de nombre de usuario y contrase\u00f1a configuradas en la RTU debido a una gesti\u00f3n de credenciales d\u00e9biles en la RTU. Un usuario no autenticado puede obtener las credenciales de contrase\u00f1a expuestas para conseguir acceso a los siguientes servicios: servicio DDNS, Mobile Network Provider y servicio OpenVPN."}], "lastModified": "2019-10-30T17:52:38.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:smartrtu_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62D6CAA7-11E1-4DF2-A9BD-EC71AE7CD166", "versionEndIncluding": "2.02"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:smartrtu:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1EF90DA0-55C7-4765-9DEE-80145752961D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:inea:me-rtu_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDC6C049-B15B-4FC2-9DDF-915381E6D114", "versionEndIncluding": "3.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:inea:me-rtu:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FD7F8299-4A9C-4B93-A35A-68C6D43855CC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}