{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordination", "urls": [ "https://certvde.com" ] }, { "names": [ "Moritz Abrell" ], "organization": "SySS GmbH", "summary": "reporting", "urls": [ "https://www.syss.de" ] } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-GB", "notes": [ { "category": "summary", "text": "Multiple vulnerabilities have been discovered in MB connect line mbNET.mini product allowing for RCE or unauthorized file access.", "title": "Summary" }, { "category": "description", "text": "CVE-2024-45271, CVE-2024-45274 and CVE-2024-45275 allow remote code execution with system privileges, resulting in full compromise of the device.\n\nCVE-2024-45273 allows undetectable tampering and manipulation of encrypted configuration files.\n\nCVE-2024-45276 allows unauthenticated access to potential sensitive files.", "title": "Impact" }, { "category": "description", "text": "Update mbNET.mini to the version 2.3.1", "title": "Remediation" } ], "publisher": { "category": "vendor", "contact_details": "security-team@mbconnectline.de", "name": "MB connect line GmbH", "namespace": "https://mbconnectline.com" }, "references": [ { "category": "external", "summary": "Product security incident reports", "url": "https://mbconnectline.com/security-advice" }, { "category": "external", "summary": "CERT@VDE Security Advisories for MB connect line", "url": "https://certvde.com/en/advisories/vendor/mbconnectline" }, { "category": "self", "summary": "VDE-2024-056: MB connect line: Multiple Vulnerabilities in mbNET.mini Product - HTML", "url": "https://certvde.com/en/advisories/VDE-2024-056" }, { "category": "self", "summary": "Security Incident Management SIM#2024-04 - PDF", "url": "https://advisories.mbconnectline.com/pdf/SIM2024-04.pdf" }, { "summary": "VDE-2024-056: MB connect line: Multiple Vulnerabilities in mbNET.mini Product - CSAF", "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-056.json", "category": "self" } ], "title": "MB connect line: Multiple Vulnerabilities in mbNET.mini Product", "tracking": { "aliases": [ "VDE-2024-056", "SIM#2024-04" ], "current_release_date": "2025-08-27T10:00:00.000Z", "generator": { "date": "2025-08-28T07:38:38.503Z", "engine": { "name": "Secvisogram", "version": "2.5.34" } }, "id": "VDE-2024-056", "initial_release_date": "2024-10-15T08:00:00.000Z", "revision_history": [ { "date": "2024-10-15T08:00:00.000Z", "number": "1.0.0", "summary": "Initial revision." }, { "date": "2024-11-06T11:27:01.000Z", "number": "1.0.1", "summary": "Fix: correct certvde domain, added self-reference" }, { "number": "1.0.2", "summary": "Fix: version space", "date": "2025-05-14T12:28:19.000Z" }, { "summary": "Update: CWE from CVE-2024-45271, Revision History", "number": "1.1.2", "date": "2025-08-27T10:00:00.000Z" } ], "status": "final", "version": "1.1.2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "mbNET.mini", "product": { "name": "MB connect line mbNET.mini", "product_id": "CSAFPID-11004" } } ], "category": "product_family", "name": "Hardware" }, { "branches": [ { "category": "product_version_range", "name": "<=2.2.13", "product": { "name": "Firmware <=2.2.13", "product_id": "CSAFPID-21004" } }, { "category": "product_version", "name": "2.3.1", "product": { "name": "Firmware 2.3.1", "product_id": "CSAFPID-22001" } } ], "category": "product_family", "name": "Firmware" } ], "category": "vendor", "name": "MB connect line" } ], "relationships": [ { "category": "installed_on", "full_product_name": { "name": "Firmware <=2.2.13 installed on MB connect line mbNET.mini", "product_id": "CSAFPID-31005" }, "product_reference": "CSAFPID-21004", "relates_to_product_reference": "CSAFPID-11004" }, { "category": "installed_on", "full_product_name": { "name": "Firmware 2.3.1 installed on MB connect line mbNET.mini", "product_id": "CSAFPID-32001" }, "product_reference": "CSAFPID-22001", "relates_to_product_reference": "CSAFPID-11004" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-45274", "cwe": { "id": "CWE-306", "name": "Missing Authentication for Critical Function" }, "notes": [ { "audience": "all", "category": "description", "text": "An unauthenticated remote attacker can execute OS commands via UDP on the device due to missing authentication.", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-32001" ], "known_affected": [ "CSAFPID-31005" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update mbNET.mini to the version 2.3.1\n", "product_ids": [ "CSAFPID-31005" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "environmentalScore": 9.8, "environmentalSeverity": "CRITICAL", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 9.8, "temporalSeverity": "CRITICAL", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-31005" ] } ], "title": "CVE-2024-45274" }, { "cve": "CVE-2024-45275", "cwe": { "id": "CWE-798", "name": "Use of Hard-coded Credentials" }, "notes": [ { "audience": "all", "category": "description", "text": "The devices contain two hard coded user accounts with hardcoded passwords that allow an unauthenticated remote attacker for full control of the affected devices.", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-32001" ], "known_affected": [ "CSAFPID-31005" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update mbNET.mini to the version 2.3.1", "product_ids": [ "CSAFPID-31005" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "environmentalScore": 9.8, "environmentalSeverity": "CRITICAL", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 9.8, "temporalSeverity": "CRITICAL", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-31005" ] } ], "title": "CVE-2024-45275" }, { "cve": "CVE-2024-45271", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code ('Code Injection')" }, "notes": [ { "audience": "all", "category": "description", "text": "An unauthenticated local attacker can gain admin privileges by deploying a config file due to improper input validation.", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-32001" ], "known_affected": [ "CSAFPID-31005" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update mbNET.mini to the version 2.3.1", "product_ids": [ "CSAFPID-31005" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 8.4, "environmentalSeverity": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 8.4, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-31005" ] } ], "title": "CVE-2024-45271" }, { "cve": "CVE-2024-45273", "cwe": { "id": "CWE-261", "name": "Weak Encoding for Password" }, "notes": [ { "audience": "all", "category": "description", "text": "An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-32001" ], "known_affected": [ "CSAFPID-31005" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update mbNET.mini to the version 2.3.1", "product_ids": [ "CSAFPID-31005" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 8.4, "environmentalSeverity": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 8.4, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-31005" ] } ], "title": "CVE-2024-45273" }, { "cve": "CVE-2024-45276", "cwe": { "id": "CWE-552", "name": "Files or Directories Accessible to External Parties" }, "notes": [ { "audience": "all", "category": "description", "text": "An unauthenticated remote attacker can get read access to files in the \"/tmp\" directory due to missing authentication.", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-32001" ], "known_affected": [ "CSAFPID-31005" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update mbNET.mini to the version 2.3.1", "product_ids": [ "CSAFPID-31005" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "CSAFPID-31005" ] } ], "title": "CVE-2024-45276" } ] }