CVE-2019-14930

Name of the Vulnerable Software and Affected Versions Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 INEA ME-RTU devices through 3.0

Description An issue was discovered that allows an attacker to gain unauthorized access to the RTU due to undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint. Additionally, the accounts ineaadmin and mitsadmin can escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.

Recommendations For Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02, consider changing the hard-coded passwords for root, ineaadmin, mitsadmin, and maint to secure ones. For INEA ME-RTU devices through 3.0, consider changing the hard-coded passwords for root, ineaadmin, mitsadmin, and maint to secure ones. As a temporary workaround, consider restricting access to the ineaadmin and mitsadmin accounts to prevent privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.