(CVE-2019-14925 –> CVE-2019-14931) Mitsubishi Electric & INEA RTU Multiple Vulnerabilities

#-------------------------------------------------------
# Multiple Vulnerabilities
# Mitsubishi Electric smartRTU & INEA ME-RTU
# Working exploits: Yes
# Public Disclosure Date: 13 August 2019
# CVE-IDs: CVE-2019-14925 -> CVE-2019-14931 (7 CVE-IDs)
# Author: Mark Cross (@xerubus | mogozobo.com)
#-------------------------------------------------------

====================
Summary
====================

Product: Mitsubishi Electric smartRTU & INEA ME-RTU
Version: Latest version of firmware (Misubishi Electric 2.02 & INEA 3.0) and prior
Vendor: Mitsubishi Electric / INEA
CVE-IDs: CVE-2019-14925 -> CVE-2019-14931 (7 CVE-IDs)

Mitsubishi Electric’s smartRTU “addresses requirements for 100% reliable remote surveillance and control of distributed assets, even in extreme climates. With powerful functions like diagnostics, alarm and event-storage and time trend data buffering, it meets the challenges of managing massively distributed assets such as data security, interfacing issues, data continuity and reliable communications. Mitsubishi Electric‘s smartRTU combines the needs of a large number of industries into a single device that is simpler than conventional RTUs, yet provides powerful capabilities that can be easily deployed and administered, even by staff with low skill levels. The smartRTU is scalable from a handful of sites to many hundreds with remote configuration management.

Further information can be found at the following URLs:

The following vulnerabilities have been discovered in Mitsubishi Electric’s smartRTU running firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0:

  1. Unauthenticated OS Command Injection (CVE-2019-14931)
  2. Unauthenticated Download of Configuration File (CVE-2019-14927)
  3. Stored Cross-site Script (XSS) (CVE-2019-14928)
  4. Use of Hard-coded Cryptographic Keys (CVE-2019-14926)
  5. Hard-coded User Passwords (CVE-2019-14930)
  6. Plaintext Password Storage (CVE-2019-14929)
  7. World-readable Configuration File (CVE-2019-14925)

It is important to note that Mitsubishi Electric and INEA were unable to provide mitigations for the identified vulnerabilities during the 45 day disclosure period. If you currently utilise Mitsubishi Electric smartRTU’s or INEA ME-RTU’s in your environment, consider the following workarounds:

  • Ensure the RTUs have appropriate controls to protect the devices from unauthorized network access;
  • Ensure the RTUs are not exposed or accessible from the Internet;
  • Ensure the RTUs are not exposed or accessible from corporate or other untrusted networks;
  • Initiate change control and test processes once patches are released by the vendor. If unable to patch, ensure appropriate controls and logging capability are in place for vulnerable devices.

====================
Disclosure Timeline
====================

27 June 2019
– Vulnerabilities discovered. Further testing commenced.

29 June 2019
– I disclosed vulnerabilities to ICS-CERT <ics-cert@hq.dhs.gov> via PGP encrypted email. Receipt of email requested.
– 45 day disclosure time advised and commenced (13 August 2019).

30 June 2019
– I disclosed to ICS-CERT <ics-cert@hq.dhs.gov> via PGP encrypted email that INEA’s firmware version 3.0 is also affected by the same vulnerabilities.

03 July 2019
– I re-sent disclosure to ICS-CERT <ics-cert@hq.dhs.gov> requesting a response that they have received the details. Advised that I will be going to full disclosure should no response occur.

04 July 2019
– GRP-CSOC <csoc@inl.gov> emailed advising ticket ICS-VU-016907 has been assigned to this case.

16 July 2019
– GRP-CSOC <csoc@inl.gov> emailed advising that contact was established with the vendor and the report was sent to them.

23 July 2019
– I requested an update due to disclosure date getting close.
– GRP-CSOC <csoc@inl.gov> advised they have requested an update from the vendor

07 August 2019
– GRP-CSOC <csoc@inl.gov> advised that Mitsubishi have requested an extension to the disclosure date
– I advised that it has been 37 days since the original disclosure, and full disclosure is set for 6 days time, it is unreasonable to be requesting an extension to the disclosure period so late in the process. I will be disclosing these vulnerabilities on 13/08/19 (AEST) as originally advised.
– GRP-CSOC <csoc@inl.gov> advised they will issue an alert on the disclosure date.
– I provided GRP-CSOC with risk mitigation steps for their alert.

10 August 2019
– GRP-CSOC <csoc@inl.gov> advised that I will need to seek CVE-IDs from Mitre
– GRP-CSOC <csoc@inl.gov> provided a draft alert for comment.
– I requested CVE-IDs from Mitre

11 August 2019
– Mitre assigned CVE-2019-14925 -> CVE-2019-14931 (7 CVE-IDs)
– I submitted exploits to exploit-db

13 August 2019
– Public disclosure

 


 

#-----------------------------------------------------------------------------------
# 1. Unauthenticated OS Command Injection
# CVE-ID: CVE-2019-14931
# CWE-ID: CWE-78: Improper Neutralisation of Special Elements used in an OS Command
# Exploit-DB ID: https://www.exploit-db.com/exploits/47235
#-----------------------------------------------------------------------------------

====================
Tested versions / Platform
====================

Mitsubishi Electric’s ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0

====================
Details
====================
An unauthenticated remote OS Command Injection vulnerability in Mitsubishi Electric’s smartRTU and INEA’s ME-RTU allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU’s system shell. Functionality in the mobile.php page provides users with the ability to ping sites or IP addresses via the ‘Mobile Connection Test‘. An attacker can use a shell command separator (;) in the ‘host‘ variable to execute operating system commands upon submitting the test data.

When the Mobile Connection Test is submitted, action.php is called to execute the test. The following is the contents of the action.php script:

Due to improper input sanitising, it is possible for an attacker to inject an operating system command into the $command variable by appending the host variable with a shell command separator. As an example, the host variable could contain the following string: "www.inea.si;ping 127.0.0.1", which would execute the legitimate ping check against the host www.inea.si as well as execute a second unauthorised ping to localhost.

The www-data user is configured with a limited amount of commands which may be executed with root privileges via sudoers. The sudo permissions are stored in the /etc/sudoers.d/viswww file. The following shows the commands able to be executed with sudo capability:

Whilst the allowable commands which can be executed with root privileges is quite limited, it is possible to exploit local security restrictions in the /usr/sbin/service to run any OS command with sudo granted root privileges. By utilising the privileged context of the ‘service‘ binary, it is possible to create a root bind shell via netcat on the RTU by injecting the following string into the $host variable:

The following snippet shows the bind shell being executed as root on the RTU:

The following snippet shows the successful bind shell from the remote attacking host:

Due to the lack of session checking, it is possible for an attacker to perform the same attack as above from an unauthenticated posture by simply supplying the malicious payload directly to the ‘action.php‘ page. The following is a simple curl command which can be run from the attacking host:

====================
Exploit difficulty
====================

It is possible for an attacker to perform the command injection from both an authenticated and unauthenticated perspective. An attacker who successfully exploits the vulnerability can execute arbitrary code on the target system with the same privilege rights and context of the user running the process.

====================
Proof of Concept
====================

The following snippet shows the proof of concept code being executed to obtain a bind shell with root privileges on the vulnerable smartRTU:

The following proof of concept (POC) code will be submitted to exploit-db at the end of the 45 day disclosure period.

 


 

#------------------------------------------------------
# 2. Unauthenticated Download of Configuration File
# CVE-ID: CVE-2019-14927
# CWE-ID: CWE-284: Improper Access Control
# Exploit-DB ID: https://www.exploit-db.com/exploits/47234
#------------------------------------------------------

====================
Tested versions / Platform
====================

Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0

====================
Details
====================

It is possible to download the Mitsubishi Electric smartRTU’s and the INEA ME-RTU’s configuration file from an unauthenticated posture due to a vulnerability in the web-based management interface of the RTU. Improper access controls for URLs allow the bypass of authentication controls, resulting in the unauthenticated download of the configuration file which contains data such as usernames, passwords, and other sensitive RTU data.

The following is a simple curl command which can be executed from the attacking host to obtain the smartRTU configuration file:

The following snippet shows the response of the above curl command while searching for Username or Password strings:

====================
Exploit difficulty
====================

An attacker can download the RTU configuration file an unauthenticated perspective by requesting URL from the affected device via HTTP requests.

====================
Proof of Concept
====================

The following snippet shows the proof of concept code being executed to obtain a bind shell with root privileges on the vulnerable smartRTU:

The following proof of concept (POC) code will be submitted to exploit-db at the end of the 45 day disclosure period.

 


 

#-------------------------------------------------------------------
# 3. Stored Cross-site Script (XSS)
# CVE-ID: CVE-2019-14928
# CWE-ID: CWE-79: Improper Neutralisation of user supplied input
#-------------------------------------------------------------------

====================
Tested versions / Platform
====================

Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0

====================
Details
====================

A number of stored XSS vulnerabilities have been identified in Mitsubishi Electric’s smartRTU and INEA’s ME-RTU web configuration software which could allow an authenticated threat actor to inject malicious code directly into the application.

An example input variable vulnerable to stored XSS exists in the ‘index.php‘ page:

An attacker can replace the string ‘XSS code goes here‘ with “/><script>alert(“xss”)</script> in order to exploit the stored XSS vulnerability, resulting in an alert box with the message ‘xss‘ being displayed whenever a user visits the ‘index.php‘ page.

====================
Exploit difficulty
====================

It is possible for an attacker to injection malicious code from an authenticated perspective only. An attacker who successfully exploits the XSS vulnerabilities can run arbitrary code on the client target system.

====================
Proof of Concept
====================

The following snippet shows the proof of concept code being executed to obtain a logged on user’s session ID and send the session ID to the attackers host in order to perform a session replay based attack to bypass username/password authentication methods on the vulnerable smartRTU:

In order to receive the session cookie details from the targeted user, the following php script needs to be available on the attackers host:

The following snippet shows the attacking host successfully receiving the session cookie from the logged in user on the smartRTU web interface. By replaying the session token, it is possible for the attacker to bypass username/password requirements and access the web interface as the victim user.

 


 

#----------------------------------------------------
# 4. Use of Hard-coded Cryptographic Keys
# CVE-ID: CVE-2019-14926
# CWE-ID: CWE-798: Use of Hard-coded Credentials
#----------------------------------------------------


====================
Tested versions / Platform
====================

Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0

====================
Details
====================

Hard-coded SSH keys have been identified in Mitsubishi Electric’s smartRTU and INEA’s ME-RTU firmware. As the secure keys cannot be regenerated by a user, and are not regenerated on firmware updates, all deployed Mitsubishi Electric smartRTU’s and INEA’s ME-RTU’s utilise the same SSH keys.

====================
Exploit difficulty
====================

An attacker may leverage this vulnerability by copying the SSH keys directly from the smartRTU device or from the firmware available for download on Mitsubishi Electric’s and INEA’s web site.

====================
SSH Key Details
====================

The following is the contents of the hard-coded RSA private key located in /etc/ssh/ssh_host_rsa_key on the RTU:

The following is the contents of the hard-coded EC private key located in /etc/ssh/ssh_host_ecdsa_key on the RTU:

The following is the contents of the hard-coded DSA private key located in /etc/ssh/ssh_host_dsa_key on the RTU:

 


 


#---------------------------------------------------
# 5. Hard-coded User Passwords
# CVE-ID: CVE-2019-14930
# CWE-ID: CWE-798: Use of Hard-coded Credentials
#---------------------------------------------------


====================
Tested versions / Platform
====================

Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0

====================
Details
====================

Mitsubishi Electric’s smartRTU and INEA’s ME-RTU devices contain undocumented user accounts with hard-coded password credentials. An attack could exploit this vulnerability by using the accounts to log into affected RTU’s. The following user accounts contain hard-coded passwords:

====================
Exploit difficulty
====================

An attacker can with access to the smartRTU’s operating system, or access to the firmware downloadable from Mitsubishi Electric’s and INEA’s website, can obtain the password hashes from /etc/shadow and crack the passwords with tools such as hashcat or john the ripper.

As the ineaadmin and mitsadmin user accounts are members of the ‘admin‘ group on the RTU, they are able to elevate their accounts to gain root privileges as the admin group is granted full root access without the need to supply a password via sudo. The following snippet from /etc/group shows the accounts in the admin group on the RTU:

The following snippet from /etc/sudoers shows the admin group is given full root privileges without password authentication:

 


 


#------------------------------------------------------
# 6. Plaintext Password Storage
# CVE-ID: CVE-2019-14929
# CWE-ID: CWE-255: Credentials Management
#------------------------------------------------------


====================
Tested versions / Platform
====================

Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0

====================
Details
====================

Mitsubishi Electric’s smartRTU and INEA’s ME-RTU store password credentials in plain text in a configuration file. An unauthenticated user can obtain the exposed password credentials to gain access to the following services:

– DDNS service
– Mobile Network Provider
– OpenVPN service

====================
Exploit difficulty
====================

It is possible to download the smartRTU’s configuration file from an unauthenticated posture due to a vulnerability in the web-based management interface of the RTU. Improper access controls for URLs allow the bypass of authentication controls, resulting in the unauthenticated download of the configuration file which contains data such as usernames, passwords, and other sensitive RTU data.

====================
Proof of Concept
====================

The following snippet from the XML configuration file shows the plaintext password strings:

 


 


#-------------------------------------------------------
# 7. World-readable Configuration File
# CVE-ID: CVE-2019-14925
# CWE-ID: CWE-276: Incorrect Default Permissions
#-------------------------------------------------------


====================
Tested versions / Platform
====================

Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0

====================
Details
====================

Mitsubishi Electric’s smartRTU and INEA’s ME-RTU stores and reads configuration settings from a file located in /usr/smartrtu/ini/settings.xml. This file has insecure world-readable permissions assigned, allowing all users on the system to read the configuration file which contains username and plain text password combinations, as well as other sensitive configuration information of the RTU.

The following shows the permissions assigned to the settings.xml file on the smartRTU:

====================
Exploit difficulty
====================

It is possible for any user logged on to the Mitsubishi Electric smartRTU or INEA ME-RTU to read the contents of the settings.xml file due to the world-readable permission assignment.