Share: Email | Twitter

ID

VDE-2021-031

Published

2021-07-22 13:33 (CEST)

Last update

2021-07-22 13:33 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No° Product Name Affected Version(s)
mbCONNECT24 <= 2.8.0
mymbCONNECT24 <= 2.8.0

Summary

Two vulnerabilities in mbCONNECT24 and mymbCONNECT24 can lead to information disclosure and arbitrary code execution.

Please consult the CVE entries for details.

Vulnerabilities



CVE-2020-9498
6.7
Last Update
7. September 2021 09:27
Severity
6.7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
Weakness
Out-of-bounds Write (CWE-787)
Summary

Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.

Details
nvd.nist.gov 
CVE-2020-9497
4.4
Last Update
7. September 2021 09:27
Severity
4.4 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)
Weakness
Improper Input Validation (CWE-20)
Summary

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.

Details
nvd.nist.gov 

Solution

Update to 2.9.0

Reported by

MB connect line reported this vulnerability to CERT@VDE.