VDE-2024-010
Vulnerability from csaf_mbconnectlinegmbh - Published: 2025-03-18 11:00 - Updated: 2025-08-27 10:00Summary
Vulnerabilities in mbCONNECT24/mymbCONNECT24
Severity
Critical
Notes
Summary: The data24 service that is bundled with every installation of mbCONNECT24/mymbCONNECT24 has two
serious flaws in core components. These combined can lead to a complete loss of confidentiality, integrity
and availability.
Impact: CVE-2024-23943: A total loss of confidentiality and integrity, for individual devices or the whole service, is
possible.
CVE-2024-23942: An attacker in possession of the device's configuration file can impersonate the real
device. This also allows to prevent the real device from connecting successful.
Mitigation: CVE-2024-23942: If the device's serial number is known to mbCONNECT24/mymbCONNECT24 before the
downloadable configuration is created, that configuration will be encrypted allowing only the correct device to
decrypt it.
Remediation: Update to latest version: 2.16.2
CVE-2024-23943: This fix does not apply to mbNET/mbNET.rokey devices with firmware 8.0.0 - 8.1.3. If you are using a device with this firmware, please update it to >= 8.2.0.
General Recommendation: Always use the latest available firmware version on all devices.
An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected.
9.1 (Critical)
Vendor Fix
Update to latest version: 2.16.2
CVE-2024-23943: This fix does not apply to mbNET/mbNET.rokey devices with firmware 8.0.0 - 8.1.3. If you are using a device with this firmware, please update it to >= 8.2.0.
A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS.
7.1 (High)
Mitigation
CVE-2024-23942: If the device's serial number is known to mbCONNECT24/mymbCONNECT24 before the
downloadable configuration is created, that configuration will be encrypted allowing only the correct device to
decrypt it.
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://mbconnectline.com",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "The data24 service that is bundled with every installation of mbCONNECT24/mymbCONNECT24 has two\nserious flaws in core components. These combined can lead to a complete loss of confidentiality, integrity\nand availability.",
"title": "Summary"
},
{
"category": "description",
"text": "CVE-2024-23943: A total loss of confidentiality and integrity, for individual devices or the whole service, is\npossible.\n\nCVE-2024-23942: An attacker in possession of the device\u0027s configuration file can impersonate the real\ndevice. This also allows to prevent the real device from connecting successful.",
"title": "Impact"
},
{
"category": "description",
"text": "CVE-2024-23942: If the device\u0027s serial number is known to mbCONNECT24/mymbCONNECT24 before the\ndownloadable configuration is created, that configuration will be encrypted allowing only the correct device to\ndecrypt it.",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update to latest version: 2.16.2\n\nCVE-2024-23943: This fix does not apply to mbNET/mbNET.rokey devices with firmware 8.0.0 - 8.1.3. If you are using a device with this firmware, please update it to \u003e= 8.2.0.",
"title": "Remediation"
},
{
"category": "general",
"text": "Always use the latest available firmware version on all devices.",
"title": "General Recommendation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security-team@mbconnectline.de",
"name": "MB connect line GmbH",
"namespace": "https://mbconnectline.com"
},
"references": [
{
"category": "external",
"summary": "MB connect line GmbH Advisories",
"url": "https://mbconnectline.com/security-advice"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for MB connect line GmbH",
"url": "https://certvde.com/en/advisories/vendor/redlion"
},
{
"category": "self",
"summary": "VDE-2024-010: Vulnerabilities in mbCONNECT24/mymbCONNECT24 - HTML",
"url": "https://certvde.com/en/advisories/VDE-2024-010"
},
{
"category": "self",
"summary": "VDE-2024-010: Vulnerabilities in mbCONNECT24/mymbCONNECT24 - CSAF",
"url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2024-010.json"
}
],
"title": "Vulnerabilities in mbCONNECT24/mymbCONNECT24",
"tracking": {
"aliases": [
"VDE-2024-010"
],
"current_release_date": "2025-08-27T10:00:00.000Z",
"generator": {
"date": "2025-08-28T07:40:08.713Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.34"
}
},
"id": "VDE-2024-010",
"initial_release_date": "2025-03-18T11:00:00.000Z",
"revision_history": [
{
"date": "2025-03-18T11:00:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
},
{
"date": "2025-03-31T13:00:00.000Z",
"number": "1.0.1",
"summary": "Update: Fixed Document reference CSAF"
},
{
"date": "2025-04-10T13:00:00.000Z",
"number": "1.0.2",
"summary": "Update: Fixed document reference URL"
},
{
"date": "2025-05-14T13:00:14.000Z",
"number": "1.0.3",
"summary": "Fix: added distribution"
},
{
"date": "2025-08-27T10:00:00.000Z",
"number": "1.1.3",
"summary": "Update: CWE form CVE-2024-23942, Revision History"
}
],
"status": "final",
"version": "1.1.3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "mbCONNECT24",
"product": {
"name": "mbCONNECT24",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_name",
"name": "mymbCONNECT24",
"product": {
"name": "mymbCONNECT24",
"product_id": "CSAFPID-11002"
}
}
],
"category": "product_family",
"name": "mbCONNECT24"
},
{
"branches": [
{
"category": "product_name",
"name": "mbNET",
"product": {
"name": "mbNET",
"product_id": "CSAFPID-11003"
}
},
{
"category": "product_name",
"name": "mbNET.rokey",
"product": {
"name": "mbNET.rokey",
"product_id": "CSAFPID-11004"
}
}
],
"category": "product_family",
"name": "mbNET"
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version",
"name": "2.16.2",
"product": {
"name": "Firmware 2.16.2",
"product_id": "CSAFPID-22001"
}
},
{
"category": "product_version_range",
"name": "\u003c2.16.2",
"product": {
"name": "Firmware \u003c2.16.2",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "8.2.0",
"product": {
"name": "Firmware 8.2.0",
"product_id": "CSAFPID-22003"
}
},
{
"category": "product_version_range",
"name": "\u003c8.2.0",
"product": {
"name": "Firmware \u003c8.2.0",
"product_id": "CSAFPID-22004"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "MB connect line"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.16.2 installed on mbCONNECT24",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c2.16.2 installed on mymbCONNECT24",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.16.2 installed on mbCONNECT24",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2.16.2 installed on mymbCONNECT24",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 8.2.0 installed on mbNET",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-11003",
"relates_to_product_reference": "CSAFPID-22003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 8.2.0 installed on mbNET.rokey",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-11004",
"relates_to_product_reference": "CSAFPID-22003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c8.2.0 installed on mbNET",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-11003",
"relates_to_product_reference": "CSAFPID-22004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c8.2.0 installed on mbNET.rokey",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-11004",
"relates_to_product_reference": "CSAFPID-22004"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-23943",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to latest version: 2.16.2\n\nCVE-2024-23943: This fix does not apply to mbNET/mbNET.rokey devices with firmware 8.0.0 - 8.1.3. If you are using a device with this firmware, please update it to \u003e= 8.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004"
]
}
],
"title": "CVE-2024-23943"
},
{
"cve": "CVE-2024-23942",
"cwe": {
"id": "CWE-312",
"name": "Cleartext Storage of Sensitive Information"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002"
]
},
"remediations": [
{
"category": "mitigation",
"details": "CVE-2024-23942: If the device\u0027s serial number is known to mbCONNECT24/mymbCONNECT24 before the\ndownloadable configuration is created, that configuration will be encrypted allowing only the correct device to\ndecrypt it.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002"
]
}
],
"title": "CVE-2024-23942"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…