MB connect line: Privilege escalation in mbDIALUP <= 3.9R0.0

Multiple Vulnerabilities can lead to arbitrary code execution.

VDE-2021-017 (2021-07-22 13:33 UTC+0200)

Affected Vendors

MB connect line GmbH

Affected Products

mbDIALUP <= 3.9R0.0

Vulnerability Type

Improper Privilege Management (CWE-269)

Summary

Multiple Vulnerabilities in mbConnect24serv (a software service of mbDIALUP) can lead to arbitrary code execution due to improper privilege management.

Impact

CVE-2021-33526
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE: Improper Privilege Management (CWE-269)

A low privileged local attacker can send a command to the service running with NT AUTHORITY\SYSTEM instructing it to execute a malicous OpenVPN configuration resulting in arbitrary code execution with the privileges of the service.
Please note: This was intented behaviour as stated here.

CVE-2021-33527
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

A low privileged local attacker can send a command to the service running with NT AUTHORITY\SYSTEM, that will not correctly validate the input, instructing it to execute arbitrary code execution with the privileges of the service.

Solution

Update to 3.9R0.5

Reported by

Noam Moshe of Claroty reported this vulnerability to MB connect line GmbH.

CERT@VDE coordinated.