CVE-2019-14926

Name of the Vulnerable Software and Affected Versions Mitsubishi Electric Europe B.V. ME-RTU devices versions 2.02 and earlier INEA ME-RTU devices versions 3.0 and earlier

Description An issue allows an attacker to gain unauthorized access or disclose encrypted data on the RTU due to hard-coded SSH keys not being regenerated on initial installation or with firmware updates. The devices use private-key values in /etc/ssh/ssh host rsa key, /etc/ssh/ssh host ecdsa key, and /etc/ssh/ssh host dsa key files that are publicly available from the vendor web sites.

Recommendations For Mitsubishi Electric Europe B.V. ME-RTU devices versions 2.02 and earlier, consider regenerating SSH keys on initial installation or with firmware updates to prevent unauthorized access. For INEA ME-RTU devices versions 3.0 and earlier, consider regenerating SSH keys on initial installation or with firmware updates to prevent unauthorized access. As a temporary workaround, consider disabling SSH access to the devices until a patch is available.