Summary
Multiple vulnerabilities have been discovered in Helmholz products that could allow RCE or unauthorized file access. CVE-2024-45272 affects the myREX24 V2 and myREX24.virtual products, while CVE-2024-45273 affects the REX200/250, myREX24 V2, myREX24.virtual and REX300 products.
Impact
CVE-2024-45272 allows brute force attack of remote credentials with positive success chances.
CVE-2024-45273 allows undetectable tampering and manipulation of encrypted configuration files.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Helmholz REX200/250 | Firmware <=8.2.0 | |
| Helmholz REX300 | Firmware <=5.1.11 | |
| Helmholz myREX24 V2 | Firmware <=2.16.2 | |
| Helmholz myREX24.virtual | Firmware <=2.16.2 |
Vulnerabilities
Expand / Collapse allAn unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.
An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost.
Remediation
Update REX200/250 to the version 8.2.1\
Update myREX24 V2, myREX24.virtual to the version 2.16.3\
Note: REX 300 devices are EOL and will not receive any further updates.
Acknowledgments
Helmholz GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Moritz Abrell from SySS GmbH for reporting (see https://www.syss.de )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 15.10.2024 10:00 | Initial revision. |
| 2 | 06.11.2024 12:27 | Fix: correct certvde domain, added self-reference |