Get in Touch
Critical vulnerability discovered that allows remote code execution in SCADA/ICS environments
INEA software is used worldwide by organisations in the energy, transportation, water, and wastewater industry sectors.
The US Cybersecurity and Infrastructure Agency (CISA) published an Industrial Control Systems (ICS) advisory for a vulnerability in an ME remote terminal unit (RTU) of INEA firmware, tracked as CVE-2023-2131 (CVSSv3 Score: 9.8 – Critical).
At the time of writing there are no known publicly available exploits of this vulnerability, according to CISA.
CVE-2023-2131 pertains to a vulnerability involving an OS command injection, which could allow a threat actor to remotely execute arbitrary code. Depending on the utilisation of the RTU, having control of a system that interfaces between the Supervisory Control and Data Acquisition (SCADA) and the instrumentation devices could be detrimental to business operations.
Security updates have been released for this vulnerability. As such, previous versions are vulnerable to potential exploit.
– INEA ME RTU firmware versions prior to 3.36.
Containment, Mitigations & Remediations
It is strongly recommended that organisations using ME RTU firmware update to version 3.36 or later.
Additionally, CISA recommends the following mitigations to remediate CVE-2023-2131:
– Ensure control systems and devices are not accessible from the internet and minimise network exposure for these systems
– Place remote devices and control systems behind firewalls and isolate them from the rest of the network
– When using remote access devices, implement Virtual Private Networks (VPNs) to add a layer of security to communications.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
The ME RTU enables communications via cellular network between remote field devices and their control centre. Although there are no reports of in-the-wild exploitation of this vulnerability, SCADA/ICS environments remain a prime target for attackers, especially advanced persistent threat (APT) actors who seek to disrupt critical infrastructure to achieve their strategic objectives.
Further, due to the long lifetime of ICS systems, and the prioritisation of operational availability, many industrial organisations use legacy products and software within their operational technology (OT) networks. This makes it difficult to patch vulnerabilities and also increases the attack surface for threat actors.
No attribution to specific threat actors or groups has been identified at the time of writing.
Common Weakness Enumeration:
– CWE-78 – Improper Neutralisation of Special Elements used in an OS Command (‘OS Command Injection’)