CVE-2024-23943 (CVSS 9.1): Critical Flaw Found in Industrial Communication Devices

A pair of security advisories released by CERT@VDE, in coordination with MB connect line and Helmholz, have revealed critical vulnerabilities in widely used industrial communication devices, posing significant cybersecurity risks. The advisories detail flaws in the myREX24, myREX24.virtual, mbCONNECT24, and related product lines, emphasizing the potential for severe consequences, including a “complete loss of confidentiality, integrity and availability.”

The vulnerabilities affect several products and versions, including:

• myREX24 V2 (<2.16.2)

• myREX24.virtual (<2.16.2)

• REX 200 (<8.2.0)

• REX 250 (<8.2.0)

• mbCONNECT24 (<2.16.2)

• mbNET (<8.2.0)

• mbNET.rokey (<8.2.0)

• mymbCONNECT24 (<2.16.2)

One of the most severe vulnerabilities, tracked as CVE-2024-23943 (CVSS score of 9.1), lies in the cloud API of the affected devices. The advisory states that “an unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices.” This flaw allows for a total loss of confidentiality and integrity, impacting individual devices or the entire service.

Another significant vulnerability, identified as CVE-2024-23942 (CVSS score of 7.1), involves the exposure of sensitive data in a configuration file on the client workstation. According to the advisory, “a local user may find a configuration file on the client workstation with unencrypted sensitive data.” Exploitation of this vulnerability “allows an attacker to impersonate the device or prevent the device from accessing the cloud portal, which leads to a DoS.”

CERT@VDE and the affected vendors are urging users to take immediate action to mitigate these risks. For CVE-2024-23942, the advisory suggests that if the device’s serial number is known to mbCONNECT24/mymbCONNECT24 before the downloadable configuration is created, that configuration will be encrypted, allowing only the correct device to decrypt it.

The primary remediation for these vulnerabilities is to update the affected products to the latest versions. Specifically, users of myREX24, myREX24.virtual, mbCONNECT24, and mymbCONNECT24 are advised to update to version 2.16.2. For mbNET/mbNET.rokey devices with firmware 8.0.0 – 8.1.3, the advisory recommends updating to version 8.2.0 or later.

Organizations are strongly encouraged to review the advisories in detail and implement the recommended mitigations and updates to protect their systems from potential exploitation.

Related Posts:

• Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
• Hacker can use Smartphone Apps to control industrial processes
• Positive Technologies: “73 percent of industrial organizations’ networks are vulnerable to hackers”