Helmholz Advisory Feed by CERT@VDEhttps://cert.vde.com/de/advisories/2023-10-16T08:38:59+00:00Feed for Helmholz Advisories by CERT@VDEHelmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual2023-10-16T08:38:58+00:002023-10-16T08:38:59+00:00CERTVDEhttps://cert.vde.com/de/advisories/author/certuser/https://cert.vde.com/de/advisories/VDE-2023-043/<h4>VDE-2023-043</h4>
<h4>Vendor(s)</h4>Helmholz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>myREX24</td><td> <= 2.14.2</td></tr><tr><td></td><td>myREX24.virtual</td><td> <= 2.14.2</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-4834: 4.3 (CVSS:3.1)<br><h4>Summary</h4><h4>Solution</h4><div class="page" title="Page 2">
<div class="section">
<div class="layoutArea">
<div class="column">
<p><span>Update to latest Version 2.14.3 </span></p>
</div>
</div>
</div>
</div>
<p></p><p><h4>URL</h4><a href="https://cert.vde.com/de/advisories/VDE-2023-043/" target=_new>https://cert.vde.com/de/advisories/VDE-2023-043/</a>
Helmholz: Cross-site Scripting vulnerability in REX 200/REX 2502023-08-17T12:00:05+00:002023-08-17T13:05:54+00:00CERTVDEhttps://cert.vde.com/de/advisories/author/certuser/https://cert.vde.com/de/advisories/VDE-2023-029/<h4>VDE-2023-029</h4>
<h4>Vendor(s)</h4>Helmholz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>REX 200</td><td> < 7.3.2</td></tr><tr><td></td><td>REX 250</td><td> < 7.3.2</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-34412: 4.8 (CVSS:3.1)<br><h4>Summary</h4><p>A stored XXS vulnerability has been found in REX 200 and REX 250 in all versions before 7.3.2.</p><h4>Impact</h4><p>A remote, authenticated attacker can fully compromise the browser session of all users accessing the devices web interface.</p><h4>Solution</h4><p><b></b></p>
<p>Update to 7.3.2</p><p><h4>URL</h4><a href="https://cert.vde.com/de/advisories/VDE-2023-029/" target=_new>https://cert.vde.com/de/advisories/VDE-2023-029/</a>
Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual2023-05-15T12:06:27+00:002023-05-15T12:06:30+00:00CERTVDEhttps://cert.vde.com/de/advisories/author/certuser/https://cert.vde.com/de/advisories/VDE-2023-008/<h4>VDE-2023-008</h4>
<h4>Vendor(s)</h4>Helmholz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>myREX24</td><td> <= 2.13.3</td></tr><tr><td></td><td>myREX24.virtual</td><td> <= 2.13.3</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2023-0985: 8.8 (CVSS:3.1)<br>⠀CVE-2023-1779: 4.3 (CVSS:3.1)<br><h4>Summary</h4><p><span>Two vulnerabilites have been discovered in </span><span>myREX24</span><span><span> </span>and myREX24.virtual</span><span> </span><span>in all versions through </span><span>2.13.3.</span></p><h4>Impact</h4><p>Please consult the CVE Entries.</p><h4>Solution</h4><p><b>Mitigation for CVE-2023-0985:</b></p>
<p>If you have MFA enabled on the admin user, the password will still be set, but the attacker will be unable to login as the MFA is still in place.</p>
<p><b>Remediation</b></p>
<p>Update to latest Version: 2.13.4</p><p><h4>URL</h4><a href="https://cert.vde.com/de/advisories/VDE-2023-008/" target=_new>https://cert.vde.com/de/advisories/VDE-2023-008/</a>
Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual2022-09-07T10:56:52+00:002022-09-07T10:56:56+00:00CERTVDEhttps://cert.vde.com/de/advisories/author/certuser/https://cert.vde.com/de/advisories/VDE-2022-039/<h4>VDE-2022-039</h4>
<h4>Vendor(s)</h4>Helmholz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>myREX24</td><td> <= 2.11.2</td></tr><tr><td></td><td>myREX24.virtual</td><td> <= 2.11.2</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2021-34575: 7.5 (CVSS:3.1)<br>⠀CVE-2021-34574: 4.3 (CVSS:3.1)<br>⠀CVE-2020-12530: 6.1 (CVSS:3.1)<br>⠀CVE-2020-12528: 7.7 (CVSS:3.1)<br>⠀CVE-2020-12529: 5.3 (CVSS:3.1)<br>⠀CVE-2020-12527: 4.3 (CVSS:3.1)<br>⠀CVE-2020-10384: 7.8 (CVSS:3.1)<br>⠀CVE-2020-35561: 5.3 (CVSS:3.1)<br>⠀CVE-2020-35565: 9.8 (CVSS:3.1)<br>⠀CVE-2020-35567: 7.8 (CVSS:3.1)<br>⠀CVE-2020-35568: 4.3 (CVSS:3.1)<br>⠀CVE-2020-35559: 4.3 (CVSS:3.1)<br>⠀CVE-2020-35566: 5.3 (CVSS:3.1)<br>⠀CVE-2020-35569: 6.1 (CVSS:3.1)<br>⠀CVE-2020-35564: 7.5 (CVSS:3.1)<br>⠀CVE-2020-35563: 5.4 (CVSS:3.1)<br>⠀CVE-2020-35560: 6.1 (CVSS:3.1)<br>⠀CVE-2020-35558: 7.5 (CVSS:3.1)<br>⠀CVE-2020-35570: 5.3 (CVSS:3.1)<br>⠀CVE-2020-35557: 6.5 (CVSS:3.1)<br><h4>Summary</h4><p>Multiple vulnerabilities have been found in myREX24 and <span lang="EN-US">myREX24.virtual. </span></p><h4>Impact</h4><p>please see cve id entries</p><h4>Solution</h4><p><strong><strong>CVE-2020-35557, CVE-2020-35570, CVE-2020-35558,<br>CVE-2020-35566, CVE-2020-12527, <strong>CVE-2020-35568</strong>: </strong></strong>Update to version 2.12.1</p>
<p><strong>CVE-2020-12528,</strong><strong> CVE-2020-12529, </strong><strong>CVE-2020-35560,<br>CVE-2020-12530, CVE-2020-35563, </strong><strong>CVE-2020-35564,<br>CVE-2020-35569, </strong><strong>CVE-2020-35559,<span> </span></strong> Update to version >= 2.7.1</p>
<p><strong>CVE-2020-10384</strong>: Update to version 2.6.2 to close any known way to get to www-data.<br>Note: This issue only exists up until version 2.6.1 and has already been addressed in >= 2.6.2</p>
<p><strong>CVE-2020-35567</strong>: None<br>Note: A proper fix for the underlying issue will come with a future architectural core-system-update.</p>
<p><strong>CVE-2020-35565</strong>: None<br>Mitigation: Activate bruteforce detection via Security → Fail2Ban → WebLogin<br>Note: A proper fix for the underlying issue will come with a future architectural core-system-update. To further increase the security level of your account enable MFA.</p>
<p><strong>CVE-2020-35561</strong>: Update to version 2.12.1</p><p><h4>URL</h4><a href="https://cert.vde.com/de/advisories/VDE-2022-039/" target=_new>https://cert.vde.com/de/advisories/VDE-2022-039/</a>
Helmholz: Unauthenticated user enumeration in myREX24 and myREX24.virtual2022-09-07T10:54:31+00:002022-09-07T10:54:55+00:00CERTVDEhttps://cert.vde.com/de/advisories/author/certuser/https://cert.vde.com/de/advisories/VDE-2022-017/<h4>VDE-2022-017</h4>
<h4>Vendor(s)</h4>Helmholz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>myREX24</td><td> <= 2.11.2</td></tr><tr><td></td><td>myREX24.virtual</td><td> <= 2.11.2</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2022-22520: 5.3 (CVSS:3.1)<br><h4>Summary</h4><p><span>An issue was discovered in myREX24 and myREX24.virtual in all versions through 2.11.2.</span></p><h4>Impact</h4><p><span>A remote, unauthenticated attacker can enumerate valid users with a timing attack against the webserver.</span></p><h4>Solution</h4><p>Update to Version 2.12.1</p><p><h4>URL</h4><a href="https://cert.vde.com/de/advisories/VDE-2022-017/" target=_new>https://cert.vde.com/de/advisories/VDE-2022-017/</a>
Helmholz: Remote user enumeration in myREX24/myREX24-virtual2021-12-08T12:04:10+00:002021-12-08T12:04:10+00:00CERTVDEhttps://cert.vde.com/de/advisories/author/certuser/https://cert.vde.com/de/advisories/VDE-2021-058/<h4>VDE-2021-058</h4>
<h4>Vendor(s)</h4>Helmholz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>myREX24</td><td> <= 2.9.0</td></tr><tr><td></td><td>myREX24-virtual</td><td> <= 2.9.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2021-34580: 7.5 (CVSS:3.1)<br><h4>Summary</h4><p>An issue was discovered in the <span><span lang="EN-US">myREX24</span></span> and <span><span lang="EN-US">myREX24-virtual</span></span> software in all versions through V2.9.0.</p><h4>Solution</h4><p>Update <span><span lang="EN-US">myREX24</span></span>/<span><span lang="EN-US">myREX24-virtual</span></span> to 2.10.1</p><p><h4>URL</h4><a href="https://cert.vde.com/de/advisories/VDE-2021-058/" target=_new>https://cert.vde.com/de/advisories/VDE-2021-058/</a>
Helmholz: Privilege Escalation in shDialup (Update A)2021-12-08T12:03:34+00:002022-03-28T11:03:54+00:00CERTVDEhttps://cert.vde.com/de/advisories/author/certuser/https://cert.vde.com/de/advisories/VDE-2021-057/<h4>VDE-2021-057</h4>
<h4>Vendor(s)</h4>Helmholz GmbH & Co. KG<br><h4>Product(s)</h4><table> <tbody> <tr> <th>Article No°</th> <th>Product Name</th> <th>Affected Version(s)</th> </tr><tr><td></td><td>shDialup</td><td> <= 3.9R0.0</td></tr></tbody></table><p><h4>Vulnerabilities:</h4>⠀CVE-2021-33526: 7.8 (CVSS:3.1)<br>⠀CVE-2021-33527: 9.8 (CVSS:3.1)<br><h4>Summary</h4><p>Multiple Vulnerabilities in a software service of shDIALUP can lead to arbitrary code execution due to improper privilege management.</p>
<p><strong>Update A, 2022-03-28</strong></p>
<ul>
<li>Updated CVSS score from CVE-2021-33527 from 7.8 to 9.8 due to new information about the vulnerability</li>
</ul><h4>Impact</h4><p>Please consult the CVE entries.</p><h4>Solution</h4><p><b></b>Update shDialup to 3.9R0.5</p><p><h4>URL</h4><a href="https://cert.vde.com/de/advisories/VDE-2021-057/" target=_new>https://cert.vde.com/de/advisories/VDE-2021-057/</a>