Share: Email | Twitter

ID

VDE-2024-069

Published

2024-10-15 10:00 (CEST)

Last update

2024-10-15 09:16 (CEST)

Vendor(s)

Helmholz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
myREX24 V2 <= 2.16.2
myREX24.virtual <= 2.16.2
REX200/250 <= 8.2.0
REX300 <= 5.1.11

Summary

Multiple vulnerabilities have been discovered in Helmholz products that could allow RCE or unauthorized file access. CVE-2024-45272 affects the myREX24 V2 and myREX24.virtual products, while CVE-2024-45273 affects the REX200/250, myREX24 V2myREX24.virtual and REX300 products.

Vulnerabilities



Last Update
Oct. 15, 2024, 9:13 a.m.
Weakness
Weak Encoding for Password (CWE-261)
Summary

An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.

Last Update
Oct. 15, 2024, 9:13 a.m.
Weakness
Use of Weak Credentials (CWE-1391)
Summary

An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost.

Impact

CVE-2024-45272 allows brute-force attacks against remote credentials with a high probability of success.

CVE-2024-45273 allows undetectable tampering and manipulation of encrypted configuration files.

Solution

Remediation

  • Update REX200/250 to the version 8.2.1
  • Update myREX24 V2, myREX24.virtual to the version 2.16.3

Note: REX 300 devices are EOL and will not receive any further updates.

Reported by

CERT@VDE coordinated with Helmholz

Reported by Moritz Abrell of SySS GmbH