CVE-2024-45273

Oct. 17, 2024, 5:41 p.m.

7.8
High

Description

An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.

Product(s) Impacted

Vendor Product Versions
Mbconnectline
  • Mbnet.mini Firmware
  • Mbnet.mini
  • Mbconnect24
  • Mymbconnect24
  • Mbspider Mdh 905 Firmware
  • Mbspider Mdh 905
  • Mbspider Mdh 915 Firmware
  • Mbspider Mdh 915
  • Mbspider Mdh 906 Firmware
  • Mbspider Mdh 906
  • Mbspider Mdh 916 Firmware
  • Mbspider Mdh 916
  • Mbnet Hw1 Firmware
  • Mbnet Hw1
  • Mbnet Firmware
  • Mbnet
  • Mbnet.rokey Firmware
  • Mbnet.rokey
  • *
  • -
  • *
  • *
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
Helmholz
  • Myrex24 V2 Virtual Server
  • Rex 300 Firmware
  • Rex 300
  • Rex 200 Firmware
  • Rex 200
  • Rex 250 Firmware
  • Rex 250
  • Rex 100 Firmware
  • Rex 100
  • *
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-261
Weak Encoding for Password
Obscuring a password with a trivial encoding does not protect the password.
CWE-326
Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o mbconnectline mbnet.mini_firmware / / / / / / / /
h mbconnectline mbnet.mini - / / / / / / /
a helmholz myrex24_v2_virtual_server / / / / / / / /
o helmholz rex_300_firmware / / / / / / / /
h helmholz rex_300 - / / / / / / /
o helmholz rex_200_firmware / / / / / / / /
h helmholz rex_200 - / / / / / / /
o helmholz rex_250_firmware / / / / / / / /
h helmholz rex_250 - / / / / / / /
o helmholz rex_100_firmware / / / / / / / /
h helmholz rex_100 - / / / / / / /
a mbconnectline mbconnect24 / / / / / / / /
a mbconnectline mymbconnect24 / / / / / / / /
o mbconnectline mbspider_mdh_905_firmware / / / / / / / /
h mbconnectline mbspider_mdh_905 - / / / / / / /
o mbconnectline mbspider_mdh_915_firmware / / / / / / / /
h mbconnectline mbspider_mdh_915 - / / / / / / /
o mbconnectline mbspider_mdh_906_firmware / / / / / / / /
h mbconnectline mbspider_mdh_906 - / / / / / / /
o mbconnectline mbspider_mdh_916_firmware / / / / / / / /
h mbconnectline mbspider_mdh_916 - / / / / / / /
o mbconnectline mbnet_hw1_firmware / / / / / / / /
h mbconnectline mbnet_hw1 - / / / / / / /
o mbconnectline mbnet_firmware / / / / / / / /
h mbconnectline mbnet - / / / / / / /
o mbconnectline mbnet.rokey_firmware / / / / / / / /
h mbconnectline mbnet.rokey - / / / / / / /

References

https://cert.vde.com/en/advisories/VDE-2024-056
https://cert.vde.com/en/advisories/VDE-2024-066
https://cert.vde.com/en/advisories/VDE-2024-068
https://cert.vde.com/en/advisories/VDE-2024-069

Tags

info@cert.vde.com
CWE-261
CWE-326
2024-10-15
CVE-2024-45273

CVSS Score

7.8 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Oct. 15, 2024, 11:15 a.m.
Last Modified: Oct. 17, 2024, 5:41 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

info@cert.vde.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.