The US Cybersecurity and Infrastructure Security Agency (CISA) reported a severe security vulnerability affecting ME RTU remote terminal units in an advisory. The vulnerability is named CVE-2023-2131.
The issue was reported to CISA by Floris Hendriks, a security researcher at Radboud University. CISA has recommended that critical infrastructure organizations take necessary measures to secure their supply chains by reviewing the Federal Communications Commission’s Covered List of communications equipment considered a national security risk.
The agency has also pressed upon organizations to utilize security guidance issued by NIST that helps them in the identification, assessment, and mitigation of supply chain risks and to enroll in the agency’s free Vulnerability Scanning service to identify vulnerable and high-risk devices.
This blog post will talk in detail about this Critical RCE Vulnerability in ME RTU, how to fix CVE-2023-2131 by following the steps recommended by INEA, and why it is important to fix this security vulnerability.
A Short Note About ME RTU (Remote Terminal Units)
ME-RTU is a communication unit that enables connectivity between the control center and field devices through mobile devices. It has a built-in 4G LTE modem that establishes communication between the remote system and the control center and makes it reliable. Additionally, it helps connect the radio modem and USB port and implements open-standard protocols to ensure powerful connectivity between systems and devices from different manufacturers.
The features of ME RTU include:
- It supports DNP3 connectivity with DNP3 slave Level 2
- It enables Ethernet and Serial connectivity via USB to RS232 converter
- It provides IEC 60870-5-101/104 connectivity with IEC 60870-5-101/104 slave support and IEC 60870-5-104 master to IEC 60870-5-104 slave gateway.
- It supports IEC 61850 connectivity with IEC 61850 Client to IEC 60870-5-104 slave gateway.
- It offers a PLC iQ-F/Q/L series connectivity, SMS messaging, time synchronization, integrated I/Os, online PLC programming and monitoring, communication channels such as Ethernet, Cellular network, USB Host, file transfers such as FTP and SFTP, PPP for serial/USB modem connections, and IT functionality such as DNS, DDNS, SNMP, and HTTP.
- It also unit provides VPN functionality for secure communications.
Complementing several features, the implementation of ME-RTU also has several advantages. The greater effective control provides 10% less energy consumption, about 15% less congestion on remote devices, and the remote control provides a reduction of 20% in the management costs. This technology is ideal for controlling and managing remote systems such as aqueducts, transformer stations, pipelines, road tunnels, switching stations, and wastewater treatment plants.
Summary of CVE-2023-2131
- Vendor: INEA
- Vulnerability type: OS Command Injection
- CVSS v3: 10.0
- Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2023-2131 is a critical vulnerability affecting some INEA ME RTU firmware versions. The vulnerability is caused by a command injection flaw in the affected devices’ firmware. The successful exploitation of the vulnerability could allow an attacker to execute arbitrary code remotely in the device’s operating system.
Organizations using INEA ME RTU devices are advised to mitigate the vulnerability to prevent any potential attacks immediately.
Products Affected by CVE-2023-2131
This vulnerability affects all versions of ME RTU before 3.36, which could allow a remote attacker to execute arbitrary code remotely. These versions include 2.17, 2.21, 2.23, 2.25, 2.29, 2.33, 2.35, and 3.35. As all these versions are affected by this critical security vulnerability, it is recommended to view how to fix CVE-2023-2131, which we have mentioned in the section below.
How to Fix CVE-2023-2131- A Critical RCE Vulnerability in ME RTU Remote Terminal Units?
INEA recommends the users upgrade the ME RTU to the latest firmware versions (ME RTU 3.36 or later) to fix CVE-2023-2131, a critical RCE vulnerability in ME RTU. Additionally, there are some other measures that you can take to mitigate the exploitation risk; some of those are as follows:
- The Cybersecurity and Infrastructure Security Agency (CISA) recommends that users take defensive measures that help them mitigate the exploitation risk of this vulnerability.
- Specifically, users should minimize network exposure for all control system devices and ensure they are not accessible from the internet.
- Control system networks and remote devices should be located behind firewalls and isolated from business networks.
- Users should use secure methods when needing remote access. They can use Virtual Private Networks (VPNs), recognizing that VPNs might have security vulnerabilities and should be updated to the current version.
- Organizations should perform proper impact analysis and risk assessment before deploying defensive measures.
To know more about the security recommended practices, visit the ICS webpage at cisa.gov/ics. It offers details on several CISA products and the best practices for cyber defense that you can read and download. The ICS webpage also offers additional mitigation guidance and recommended practices at cisa.gov/ics in the form of a technical information paper.
CVE-2023-2131 is a critical remote code execution vulnerability in ME RTU remote terminal units that can allow an attacker to control the affected system fully. It is crucial for organizations using these devices to take immediate action to fix this vulnerability to prevent unauthorized access to their systems and sensitive data.
Organizations should also ensure that their network infrastructure is secure and have implemented security measures such as firewalls, intrusion detection and prevention systems, and access controls to prevent unauthorized access to their systems.
Moreover, it is advisable to conduct regular security assessments and penetration testing of the systems to identify and mitigate potential vulnerabilities before attackers can exploit them. This can help organizations avoid emerging threats and protect their systems and sensitive data from cyber-attacks.
We hope this post would help you know know how to fix CVE-2023-2131- A critical RCE Vulnerability in ME RTU. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Frequently Asked Questions:
CVE-2023-2131 is a critical remote code execution (RCE) vulnerability affecting INEA ME RTU remote terminal units. The vulnerability is caused by a command injection flaw in the affected devices’ firmware, allowing an attacker to execute arbitrary code remotely in the device’s operating system.
CVE-2023-2131 affects all versions of ME RTU before 3.36, including 2.17, 2.21, 2.23, 2.25, 2.29, 2.33, 2.35, and 3.35. It is recommended to upgrade to ME RTU 3.36 or later to mitigate the vulnerability.
To fix CVE-2023-2131, INEA recommends users upgrade the ME RTU to the latest firmware versions (ME RTU 3.36 or later). Additionally, implement defensive measures such as minimizing network exposure, isolating control system networks and devices behind firewalls, using secure remote access methods, and conducting proper impact analysis and risk assessment before deploying defensive measures.
ME RTU is a communication unit that enables connectivity between a control center and field devices through mobile devices. It has a built-in 4G LTE modem for reliable communication, supports multiple connectivity protocols, and provides VPN functionality for secure communications.
ME RTU offers several advantages, such as 10% less energy consumption, about 15% less congestion on remote devices, and a 20% reduction in management costs. It is ideal for controlling and managing remote systems like aqueducts, transformer stations, pipelines, road tunnels, switching stations, and wastewater treatment plants.
For more information on security best practices, visit the ICS webpage at cisa.gov/ics. It offers details on CISA products, best practices for cyber defense, and additional mitigation guidance and recommended practices in the form of technical information papers.