CVE-2019-14931
published 2019-10-28CVE-2019-14931: An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
57.66%
99.0th percentile
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inea | me-rtu_firmware | <= 3.0 | — |
| mitsubishielectric | smartrtu_firmware | <= 2.02 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032636; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09;)
snort
alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032637; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09;)
bytes
|7b 27|host|27 20 3a 20 27 3b|
- →Exploit is delivered via HTTP POST to /action.php with a 'host' parameter containing a shell command separator (;) to inject OS commands. Look for semicolons in the 'host' POST body field targeting this endpoint. ↗
- →The exploit POSTs a payload with the 'host' field starting with ';sudo /usr/sbin/service ../../bin/nc -nvlp <port> -e /bin/sh' to establish a bind shell. Monitor for outbound netcat listener connections from RTU devices following a POST to /action.php. ↗
- →The Snort/Suricata byte signature |7b 27|host|27 20 3a 20 27 3b| matches the serialized POST body pattern {'host' : ';} at the start of the request body, uniquely identifying exploit attempts against this CVE.
- →The exploit targets unauthenticated access — no session cookie or authentication header is required. Detections should fire on all requests to /action.php matching the payload pattern, regardless of authentication state. ↗
- ·The ET Inbound rule (sid:2032636) uses HTTP method GET in the rule but the exploit sends an HTTP POST. Verify rule logic matches actual traffic method before deploying.
- ·Affected firmware versions are Mitsubishi Electric ME-RTU through 2.02 and INEA ME-RTU through 3.0. Ensure detection scope covers both vendor device ranges. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hx46-fxf5-4hff: An issue was discovered on Mitsubishi Electric ME-RTU devices through 2
ghsa_unreviewed·2022-05-24
CVE-2019-14931 [CRITICAL] CWE-78 GHSA-hx46-fxf5-4hff: An issue was discovered on Mitsubishi Electric ME-RTU devices through 2
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.
VulnCheck
mitsubishielectric smartrtu_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-14931 [CRITICAL] mitsubishielectric smartrtu_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
mitsubishielectric smartrtu_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.
Affec
CISA ICS
Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU
cisa_ics·2019-09-10·CVSS 7.5
[HIGH] Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU
Last RevisedSeptember 09, 2021
Alert CodeICSA-21-252-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric Europe B.V.
- Equipment: smartRTU and INEA ME-RTU
- Vulnerabilities: OS Command Injection, Improper Access Control, Cross-site Scripting, Use of Hard-coded Credentials, Unprotected Storage of Credentials, Incorrect Default Permissions
## 2. REPOSTED INFORMATION
This advisory is a follow-up to a CISA product update titled ICS-ALERT-19-225-01
Suricata
ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)
suricata·2021-04-09·CVSS 9.8
CVE-2019-14931 [CRITICAL] ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)
ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032636; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09;)
Suricata
ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)
suricata·2021-04-09·CVSS 9.8
CVE-2019-14931 [CRITICAL] ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)
ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)
Rule: alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032637; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09;)
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
2019-10-28
Published
Exploited in the wild