MB connect line: Multiple Vulnerabilities in mymbCONNECT24 and mbCONNECT24 <= v2.6.1

VDE-2020-035 (2020-09-18 14:30 UTC+0200)

Affected Vendors

MB connect line

Affected Products

mymbCONNECT24 and mbCONNECT24 <= v2.6.1

Vulnerability Type

multiple

Summary

Multiples issues exist in mymbCONNECT24 and mbCONNECT24. Please see section Impact for details.

Impact

Ref#ID: SIM#2020-04-1-a
Title: Blind SQL injection on mbConnect service
CVE: 
CVE-2020-24569
CVSS: 7.1 (CVSS:3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Vuln-Type: CWE-89: SQL Injection
Description: 
An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.1. There is a blind SQL injection in the knximport component via an advanced attack vector, allowing logged in attackers to discover arbitrary information.
Note: This issue can be completely mitigated regarding remote attackers by using a restrictive external firewall.

Ref#ID: SIM#2020-04-1-b
Title: Blind SQL injection on mbConnect service
CVE: CVE-2020-24568
CVSS: 7.1 (CVSS:3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Vuln-Type: CWE-89: SQL Injection
Description: 
An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.1. There is a blind SQL injection in the lancompenent component, allowing logged in attackers to discover arbitrary information.

Ref#ID: SIM#2020-04-1-c
Title: SSRF/CSRF on mbConnect service
CVE: CVE-2020-24570
CVSS: 8.8 (CVSS:3.1:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-352: Cross-Site Request Forgery
Description: 
An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.1. There is a SSRF and CSRF issue, in the com_mb24proxy module, allowing attackers to steal session information from logged in users with a specifically crafted link.

Ref#ID: SIM#2020-04-1-d
Title: Unauthenticated RCE on mbConnect Service
CVE: no CVE assigned
CVSS: 9.8 (CVSS:3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vuln-Type: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description: 
An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.1. An attacker could use an outdated and unused third party software bundled with the software to gain RCE via an exploit chain.

Solution

Update mymbCONNECT24 and mbCONNECT24 to version > v2.6.1

Reported by

OTORIO reported this vulnerability to MB connect line. CERT@VDE coordinated.