MB connect line: two vulnerabilities in mymbCONNECT24, mbCONNECT24 <= 2.8.0

VDE-2021-030 (2021-07-22 13:33 UTC+0200)

Affected Vendors

MB connect line

Affected Products

mymbCONNECT24, mbCONNECT24 <= 2.8.0

Vulnerability Type

Observable Response Discrepancy (CWE-203)

Summary

Two issues have been discovered in mymbCONNECT24 and mbCONNECT24 in all versions
including V2.8.0.

Impact

CVE-2021-34574
CVSS: 4.3 (CVSS:3.0:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CWE: Incorrect Resource Transfer Between Spheres (CWE-669)

An authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the server.

CVE-2021-34575
CVSS: 7.5 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWE: Observable Response Discrepancy (CWE-204)

An unauthenticated user can enumerate valid users by checking what kind of response the server sends.

Solution

Update to 2.9.0

Reported by

OTORIO reported the vulnerabilities to MB connect line.

CERT@VDE coordinated.