| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| myREX24 V2 | < 2.16.2 | |
| myREX24.virtual | < 2.16.2 | |
| REX 200 | < 8.2.0 | |
| REX 250 | < 8.2.0 |
The data24 service that is bundled with every installation of myREX24/myREX24.virtual has two serious flaws in core components. These combined can lead to a complete loss of confidentiality, integrity and availability.
An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected.
A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS.
CVE-2024-23943: A total loss of confidentiality and integrity, for individual devices or the whole service, is possible.
CVE-2024-23942: An attacker in possession of the device's configuration file can impersonate the real device. This also allows to prevent the real device from connecting successful.
Mitigation
CVE-2024-23942: If the device's serial number is known to mbCONNECT24/mymbCONNECT24 before the downloadable configuration is created, that configuration will be encrypted allowing only the correct device to decrypt it.
Remediation
Update to latest version: 2.16.2
CVE-2024-23943: This fix does not apply to REX 200/REX 250 devices with firmware 8.0.0 - 8.1.3. If you are using a device with this firmware, please update it to >= 8.2.0.
CERT@VDE coordinated with Helmholz