CVE-2019-14925

Name of the Vulnerable Software and Affected Versions Mitsubishi Electric Europe B.V. ME-RTU devices versions 2.02 and earlier INEA ME-RTU devices versions 3.0 and earlier

Description An issue allows an attacker to read sensitive configuration settings due to insecure permission assignment. The world-readable /usr/smartrtu/init/settings.xml configuration file on the file system exposes usernames, passwords, and other sensitive RTU data.

Recommendations For Mitsubishi Electric Europe B.V. ME-RTU devices versions 2.02 and earlier, restrict access to the /usr/smartrtu/init/settings.xml file to prevent unauthorized reading of sensitive configuration settings. For INEA ME-RTU devices versions 3.0 and earlier, consider changing the permissions of the /usr/smartrtu/init/settings.xml file to prevent world-read access until a patch is available. As a temporary workaround, consider disabling access to sensitive RTU data until the issue is resolved.