Critical vulnerability discovered that allows remote code execution in SCADA/ICS environments

Target Industry

INEA software is used worldwide by organisations in the energy, transportation, water, and wastewater industry sectors.

Overview

The US Cybersecurity and Infrastructure Agency (CISA) published an Industrial Control Systems (ICS) advisory for a vulnerability in an ME remote terminal unit (RTU) of INEA firmware, tracked as CVE-2023-2131 (CVSSv3 Score: 9.8 – Critical).

At the time of writing there are no known publicly available exploits of this vulnerability, according to CISA.

Impact

CVE-2023-2131 pertains to a vulnerability involving an OS command injection, which could allow a threat actor to remotely execute arbitrary code. Depending on the utilisation of the RTU, having control of a system that interfaces between the Supervisory Control and Data Acquisition (SCADA) and the instrumentation devices could be detrimental to business operations.

Incident Detection

Security updates have been released for this vulnerability. As such, previous versions are vulnerable to potential exploit.

Affected Products

– INEA ME RTU firmware versions prior to 3.36.

Containment, Mitigations & Remediations

It is strongly recommended that organisations using ME RTU firmware update to version 3.36 or later.

Additionally, CISA recommends the following mitigations to remediate CVE-2023-2131:

– Ensure control systems and devices are not accessible from the internet and minimise network exposure for these systems

– Place remote devices and control systems behind firewalls and isolate them from the rest of the network

– When using remote access devices, implement Virtual Private Networks (VPNs) to add a layer of security to communications.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

The ME RTU enables communications via cellular network between remote field devices and their control centre. Although there are no reports of in-the-wild exploitation of this vulnerability, SCADA/ICS environments remain a prime target for attackers, especially advanced persistent threat (APT) actors who seek to disrupt critical infrastructure to achieve their strategic objectives.

Further, due to the long lifetime of ICS systems, and the prioritisation of operational availability, many industrial organisations use legacy products and software within their operational technology (OT) networks. This makes it difficult to patch vulnerabilities and also increases the attack surface for threat actors.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration:

– CWE-78 – Improper Neutralisation of Special Elements used in an OS Command (‘OS Command Injection’)

Further Information

– CISA Advisory

– INEA Advisory