Share: Email | Twitter

ID

VDE-2021-031

Published

2021-07-22 13:33 (CEST)

Last update

2021-07-22 13:33 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No┬░ Product Name Affected Version(s)
mbCONNECT24 <= 2.8.0
mymbCONNECT24 <= 2.8.0

Summary

Two vulnerabilities in mbCONNECT24 and mymbCONNECT24 can lead to information disclosure and arbitrary code execution.

Please consult the CVE entries for details.

Vulnerabilities



Last Update
Sept. 7, 2021, 9:27 a.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.

Last Update
Sept. 7, 2021, 9:27 a.m.
Weakness
Improper Input Validation (CWE-20)
Summary

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.

Solution

Update to 2.9.0

Reported by

MB connect line reported this vulnerability to CERT@VDE.