A critical vulnerability has been discovered in a remote terminal unit (RTU) produced by Slovenia-based industrial automation company Inea, potentially exposing industrial organizations to remote hacker attacks. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory last week to inform organizations about the security hole, tracked as CVE-2023-2131 and assigned a CVSS score of 10. Inea has released a firmware update to patch the issue. The vulnerability impacts Inea ME RTUs running firmware versions prior to 3.36 and is an OS command injection bug that could allow remote code execution. The affected product provides a data interface between remote field devices and the control center via a cellular network and is used worldwide in industries such as energy, transportation, and water and wastewater.
The vulnerability was discovered and responsibly disclosed by Floris Hendriks, a researcher pursuing his master’s degree in cybersecurity at Radboud University in the Netherlands. Hendriks found the vulnerability as part of a larger research project into the security of ICS remote management devices. He and another researcher from Radboud University were recently credited by CISA for serious flaws found in Contec and Control By Web products. As part of this project, Hendriks has developed a method for discovering devices using the Censys search engine. Once devices are identified online, their firmware is analyzed for vulnerabilities.
Hendriks informed that the Inea RTU vulnerability can be exploited without authentication directly from the internet and has identified a couple of internet-exposed devices. "The exploit can be run from the public internet, the attacker does not have to be on the local network," Hendriks explained. Exploitation of CVE-2023-2131 can result in the attacker gaining root privileges on the targeted RTU, which gives them complete control of the device. The potential impact in a real-world scenario depends on what the RTU is used for, but the flaw could allow an attacker to cause disruption.
"It is an RTU, which means that it is a device that sits between the SCADA and the instrumentation devices," Hendriks explained. "As you can control the RTU, you can change both the input and outputs. It depends on what the organization uses the RTU for, but if it is used to, for example, open/close pumps or a water gate then the attacker is able to control that as well." "The attacker is also able to crash the system, which can have an enormous impact on the industrial processes of an organization," the researcher added. "An attacker can also use it for network pivoting, to get, for example, access to the local network of the organization."