Today, CISA’s NCCIC-ICS published a control system security advisory for products from INEA. I also take a down-the-rabbit-hole look at a possible connection to the Mitsubishi smartRTU.
INEA Advisory
This advisory describes an OS command injection vulnerability in the INEA ME RTU. The vulnerability was reported by Floris Hendriks of Radboud University. INEA has a new version that mitigates the vulnerability. There is no indication that Hendriks has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution.
Down the Rabbit Hole – INEA and Mitsubishi
According to the Mitsubishi website INEA is a part of their ‘e-F@actory Alliance’, a loose grouping of control system manufacturers that collaborate on manufacturing solutions. As part of the INEA portion of the alliance, Mitsubishi notes that INEA took an active part in the software development of Mitsubishi Electric’s Energy Control Pack (ECP).
Back in 2019, ICS-CERT reported on a set of vulnerabilities that involved both Mitsubishi and INEA. The ICS-CERT Alert does not provide CVE numbers, but following the provided link to the Mogozobo report (one of the few times that ICS-CERT has provided links to researcher reports) we find a listing of the 7 CVE’s (CVE-2019-14925 through CVE-2019-14931) for the vulnerabilities reported by Xerubus.
The affected products listed for these seven vulnerabilities are both the Mitsubishi smartRTU and the INEA ME RTU, the same ME RTU (an earlier version to be sure) that is involved in today’s advisory. So it would seem that there is a pretty good chance that today’s vulnerability also affects Mitsubishi’s smartRTU.