1. EXECUTIVE SUMMARY
- CVSS v3 9.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: INEA
- Equipment: ME RTU
- Vulnerabilities: OS Command Injection, Improper Authentication
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Inea ME RTU are affected:
- ME RTU: versions 3.36b and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’)CWE-78
Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating system (OS) command injection, which could allow remote code execution.
CVE-2023-35762 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.2 IMPROPER AUTHENTICATION CWE-287
Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the “root” account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system.
CVE-2023-29155 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Transportation
<
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: