VDE-2024-030 | CERT@VDE

2024-07-03 11:00 (CEST) VDE-2024-030

Red Lion Europe: mbNET.mini vulnerable to OS command injection

Share: Email | Twitter

ID

VDE-2024-030

Published

2024-07-03 11:00 (CEST)

Last update

2024-07-03 15:35 (CEST)

Vendor(s)

Red Lion Europe GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	mbNET.mini	<= 2.2.11

Summary

There exists a vulnerability in all mbNET.mini devices with firmware <= 2.2.11 that allows an authenticated attacker to execute arbitrary system commands via GET requests.

Update: 03.07.2024 3:30 pm

In section Reported by Sebastian Dietz (CyberDanube) was added.

CVE ID

CVE-2024-5672

Last Update:

Aug. 30, 2024, 9:24 a.m.

Severity

7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Summary

A high privileged remote attacker can execute arbitrary system commands via GET requests due to improper neutralization of special elements used in an OS command.

Details

cert.vde.com

Impact

See CVE description.

Solution

Mitigation

As this is an authenticated exploit, you can mitigate it by making sure that no malicious actor can login to a vulnerable device.

Remediation

Update to latest version: 2.2.13

Reported by

CERT@VDE coordinated with Red Lion Europe

Reported by Sebastian Dietz (CyberDanube)