-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-061 Product: mbCONNECT24 Manufacturer: Red Lion Europe GmbH Affected Version(s): Firmware Versions: < 2.16.2 Tested Version(s): Firmware Version: N.A. Vulnerability Type: Use of Password System for Primary Authentication (CWE-309) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-07-25 Solution Date: 2024-09-25 Public Disclosure: 2024-10-15 CVE Reference: CVE-2024-45272 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The mbNET.mini is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The mbNET industrial router is the ideal basis for securely connecting your machines and systems to the Internet - for direct access or via our remote service portal (my)mbCONNECT24." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The authentication against the VPN server of the manufacturer is done via password-based authentication and thus includes several flaws and shortcomings, e.g. password guessing, credential theft or use of weak credentials. Moreover, the password generated by the back end contains only eight characters and follows the following regex rule: [A-Z0-9]{8}. Such passwords are not of sufficiently good quality. Note: The credentials are stored on the device itself or can be found in configuration files generated by (my)mbCONNECT24. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The configuration file (TAR archive) of an mbNET.mini generated by the remote service portal (my)mbCONNECT24 contains the VPN credentials also generated by the back end. 1. Extract the TAR archive. 2. Show VPN credentials: $ cat cloudserver.user MDH860@victim $ cat cloudserver.password MDELERAL 3. These credentials are further handled by the "/etc/rc.d/init.d/ovpn" script and an OpenVPN credentials file is generated. Hereby, the device's serial number is added to the username (command executed on the device): $ cat /etc/openvpn/private/user_passw.auth MDH860@victim@391586000123456 MDELERAL 4. Afterward, the device initiates an OpenVPN session using only the credentials file as authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer implemented a fix in the hosted mbCONNECT platform. Update to version 2.16.2 or later for self-hosted solutions. See also [4]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-07-23: Vulnerability discovered 2024-07-25: Vulnerability reported to manufacturer 2024-07-25: Manufacturer confirmed reception 2024-07-31: Manufacturer asked for alternative publication date 2024-07-31: Asked the manufacturer for updates on the planned fixes 2024-09-10: Update of the vulnerability state and the planned fixes by the manufacturer 2024-09-20: CVE IDs assigned by the manufacturer 2024-09-24: Committment of the publication date (2024-10-15) 2024-10-15: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] mbNET product website https://mbconnectline.com/mbnet-en/ [2] SySS Security Advisory SYSS-2024-061 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-061.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://advisories.mbconnectline.com/pdf/SIM2024-04.pdf [5] CVE-2024-45272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45272 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmcGHWQACgkQrgyb+PE0 i1Nwpg/9FQFF0khfAq8Nml2ychwk5uPRE8uBN7Lx9ghUEroa+WW5UFiOpFhgn/oq g8vKc5/MGLm2mjuE2ONXDnQzFcNXS2+hLKXjQ4ECbaOh1vIGsLI+9mrX0bKYvcDB z4qjjNriZ/OZhjCOOlGLqEnv/Avx8TOar+OtWMjIniApihqMHF0yIu5am0ZdzIlY SPFqgor4bNa693bdsytffwvDKlKHiBCKUGWCZn0XzDkB9+QXDfGd8GRd5z4Kcc1B q8hSlK3nWeY3/KlbJ4pjooUA53xc5JhVfPgllCOH17DXApQkKEZfC+hAFt1ay9ce PYmstxhu3y50N9eE4lwqIre1nAVxW7/wQ2Tu/tPkKArT0TxTPDBq0KLLoA1ys3oK H8NqInuVEBm6+SW6LiXfSCebWJSbynymrmmHZ4Rg3s+rYHAx6/aXdiucHSRjCFeN StK8no3Kyy32e6n6FHTo04i/hpiw9+fNc2rpJDPOEYCGFTTpSx20a//Q8d6b4Nkr 5Oq96yMipWdOn/iAnHDmpK+fHPzTUHI1y5vInUmwDvAyTCTGB0/laVeR853IB7dg vB0DCMcY9luHgqNaMoX919BjtYaEMHONf+KsKfhZ4bVIEg9OQC1pfFJlybaKw7O2 rtANYUzOZ12JnHaNvPpGoDkQ4LAn2fvLwGXTkmxXO7AOXn3DfKE= =f1mh -----END PGP SIGNATURE-----