Share: Email | Twitter

ID

VDE-2024-068

Published

2024-10-15 10:00 (CEST)

Last update

2024-10-15 10:19 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No° Product Name Affected Version(s)
mbCONNECT24 <= 2.16.2
mbNET HW1 <= 5.1.11
mbNET/mbNET.rokey <= 8.2.0
mbSPIDER <= 2.6.5
mymbCONNECT24 <= 2.16.2

Summary

Multiple vulnerabilities have been discovered in MB connect line products that could allow RCE or unauthorized file access. CVE-2024-45272 affects the mbCONNECT24 and mymbCONNECT24 products, while CVE-2024-45273 affects the mbNET/mbNET.rokey, mbCONNECT24, mymbCONNECT24, mbNET HW1, and mbSPIDER products.

Vulnerabilities



CVE-2024-45273
8.4
Last Update
Oct. 15, 2024, 9:13 a.m.
Severity
8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness
Weak Encoding for Password (CWE-261)
Summary

An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.

Details
cert.vde.com 
CVE-2024-45272
7.5
Last Update
Oct. 15, 2024, 9:13 a.m.
Severity
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness
Use of Weak Credentials (CWE-1391)
Summary

An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost.

Details
cert.vde.com 

Impact

CVE-2024-45272 allows brute-force attacks against remote credentials with a high probability of success.

CVE-2024-45273 allows undetectable tampering and manipulation of encrypted configuration files.

Solution

Remediation

  • Update mbNET/mbNET.rokey to version 8.2.1.
  • Update mbCONNECT24, mymbCONNECT24 to version 2.16.3.

Note: mbNET HW1 and mbSPIDER are EOL and will not receive any further updates.

Reported by

CERT@VDE coordinated with Red Lion Europe

Reported by Moritz Abrell of SySS GmbH