CISA warns of OS Command Injection vulnerability in INEA ME RTU hardware 

CISA warns of OS Command Injection vulnerability in INEA ME RTU hardware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday a security advisory rated as CVSS 10.0 severity, identifying the presence of an OS Command Injection vulnerability in INEA ME RTU (Remote Terminal Unit) equipment. The RTU works as a data interface between the remote device and the control center

“Versions of INEA ME RTU firmware prior to 3.36 are vulnerable to operating system (OS) command injection, which could allow an attacker to remotely execute arbitrary code,” CISA identified in its advisory. Floris Hendriks of Radboud University reported this vulnerability to CISA.

Deployed globally across the energy, water and wastewater, and transportation sectors, the advisory added that exploitation of the vulnerability could allow remote code execution. INEA RTU is used for control and management of remote systems such as aqueducts, pipelines, transformer stations, switching stations, road tunnels, and wastewater treatment plants. 

At remote and dispersed processes there is often an issue of establishing communication with the control center and between the processes themselves. The RTU implements open-standard protocols and enables connectivity of field devices with the control center via the mobile network. It also has a built-in 4G LTE modem that provides a communication link between the control center and the remote system. Radio modems can be connected to USB (universal serial bus) ports and protocols enabling connectivity between devices and systems from different manufacturers.

INEA has developed mitigations for the  OS Command Injection vulnerability and recommends users update to version 3.36 or later. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should minimize network exposure for all control system devices and/or systems, ensure they are not accessible from the Internet, and locate control system networks and remote devices behind firewalls and isolate them from business networks.

When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize VPN is only as secure as its connected devices. The security agency also reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Paul Baird, chief technical security officer at Qualys wrote in an emailed statement that this vulnerability is ranked at the maximum severity level for CVSS, 10.0, due to the effect that it could have on installations. “It is remotely exploitable and could allow the execution of arbitrary code, so it represents a serious risk for those that have these units installed.”

“RTUs are used in operational network deployments to connect up various devices with each other, and to connect those devices to wider networks. For this specific RTU, they can connect to the wider telecoms network as well,” according to Baird. “According to the advisory, it has multiple deployments in critical infrastructure providers covering energy utilities, wastewater, and transport use cases, so an attack could have some serious impact.”

Baird said that this also points to the level of attention that OT (operational technology) is getting around security vulnerabilities and the number of issues that are now getting added to the CISA ICS (industrial control system) Advisory list and to the Known Exploited Vulnerabilities catalog. “So far in 2023, we have seen 121 advisories released by CISA, and these issues have affected a swathe of OT assets. This is the third release that was rated at 10 this year.” 

Looking at IT and OT security issues in context with each other will be one of the big trends for companies this year, as IT security teams and OT network professionals work to understand each other’s priorities, timescales and requirements, he added.

Last week, CISA issued 16 cybersecurity recommendations warning of the presence of ICS hardware vulnerabilities across various Siemens product lines, Datakit and Mitsubishi Electric. The agency also published an ICS medical advisory covering the presence of vulnerabilities in B. Braun Melsungen. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related