MB connect line: Multiple vulnerabilites in mymbCONNECT24 and mbCONNECT24 <= 2.6.2

VDE-2021-003 (2021-02-15 15:10 UTC+0200)

Affected Vendors

MB connect line

Affected Products

mymbCONNECT24 <= 2.6.2

mbCONNECT24 <= 2.6.2

Vulnerability Type

Improper Privilege Management (CWE-269)

Summary

Multiple vulnerabilities have been found in mymbCONNECT24 and mbCONNECT24. 

Impact

CVE-ID: CVE-2020-35557
CVSS-Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-ID: CWE-269: Improper Privilege Management
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Inproper use of access validation allows a logged in user to see devices in the account he should not have access to.

CVE-ID: CVE-2020-12527
CVSS-Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-ID: CWE-269: Improper Privilege Management
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Inproper use of access validation allows a logged in user to interact with devices in the account he should not have access to.

CVE-ID: CVE-2020-12528
CVSS-Score: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-ID: CWE-269: Improper Privilege Management
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Inproper use of access validation allows a logged in user to kill web2go sessions in the account he should not have access to.

CVE-ID: CVE-2020-35570
CVSS-Score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-ID: CWE-552: Files or Directories Accessible to External Parties
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing.

CVE-ID: CVE-2020-35558
CVSS-Score: 5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE-ID: CWE-918: Server-Side Request Forgery (SSRF)
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the MySQL access check, allowing an attacker to scan for open ports and gain some information about possible credentials.

CVE-ID: CVE-2020-12529
CVSS-Score: 5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE-ID: CWE-918: Server-Side Request Forgery (SSRF)
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports.

CVE-ID: CVE-2020-35560
CVSS-Score: 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE-ID: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an unauthenticated open redirect in the redirect.php.

CVE-ID: CVE-2020-12530
CVSS-Score: 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an XSS issue in the redirect.php allowing an attacker to inject code via a get parameter.

CVE-ID: CVE-2020-35563
CVSS-Score: 3.5 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an incomplete XSS filter allowing an attacker to inject specically crafted malicious code into the page.

CVE-ID: CVE-2020-35564
CVSS-Score: 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an outdated and unused component allowing for malicious user input of active code.

CVE-ID: CVE-2020-35569
CVSS-Score: 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is a self XSS issue with a crafted cookie in the login page.

CVE-ID: CVE-2020-35566
CVSS-Score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-ID: CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. An attacker can read arbitrary JSON files via Local File Inclusion.

CVE-ID: CVE-2020-35559
CVSS-Score: 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE-ID: CWE-400: Uncontrolled Resource Consumption
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an unused function that allows an authenticated attacker to use up all available IPs of an account and thus not allowing to create new devices and users.

CVE-ID: CVE-2020-35568
CVSS-Score: 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-ID: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. An incomplete filter applied to a database response allows an authenticated attacker to gain non public information about other users and devices in the account. No security-relevant information was accessable.

CVE-ID: CVE-2020-35567
CVSS-Score: 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-ID: CWE-798: Use of Hard-coded Credentials
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. The software uses a secure password for database access, but this password is shared between instances.

CVE-ID: CVE-2020-35565
CVSS-Score: 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-ID: CWE-1188: Insecure Default Initialization of Resource
Description: An issue was discovered in the mymbCONNECT24 software in all versions through V2.6.2. The login pages bruteforce detection is disabled by default.

CVE-ID: CVE-2020-35561
CVSS-Score: 5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE-ID: CWE-918: Server-Side Request Forgery (SSRF)
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is a SSRF in the HA module allowing an unauthenticated attacker to scan for open ports.

CVE-ID: CVE-2020-10384
CVSS-Score: 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-ID: CWE-269: Improper Privilege Management
Description: An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.1. There is a local privilege escalation from the www-data account to the root account.

Solution

CVE-2020-35557, CVE-2020-12527, CVE-2020-12528, 
CVE-2020-35570, CVE-2020-35558, CVE-2020-12529, 
CVE-2020-35560, CVE-2020-12530, CVE-2020-35563, 
CVE-2020-35564, CVE-2020-35569, CVE-2020-35566, 
CVE-2020-35559, CVE-2020-35568: Update to version 2.7.1

CVE-2020-10384: Update to version 2.6.2 to close any known way to get to www-data.
Note: This issue only exists up until version 2.6.1 and has already been addressed in 2.6.2

CVE-2020-35567: None
Note: A proper fix for the underlying issue will come with a future architectural core-system-update.

CVE-2020-35565: None
Mitigation: Activate bruteforce detection via Security → Fail2Ban → WebLogin
Note: A proper fix for the underlying issue will come with a future architectural core-system-update.

CVE-2020-35561: None
Mitigation: Avoid vulnerable open ports on the LAN side of the server by using a firewall solution
Note: A proper fix for the underlying issue will come with a future architectural core-system-update.

Reported by

OTORIO reported the vulnerabilities to MB connect line.

CERT@VDE coordinated.