Germany’s CERT@VDE has alerted organizations to several critical and high-severity vulnerabilities discovered recently in industrial routers. Impacted vendors have released patches for their products.
One of the vulnerable devices is the mbNET.mini router, a product of MB Connect Line that is used worldwide as a VPN gateway for remotely accessing and maintaining industrial environments.
CERT@VDE last week published an advisory describing the flaws. Moritz Abrell of German cybersecurity firm SySS has been credited for finding the vulnerabilities, which have been responsibly disclosed to MB Connect Line parent company Red Lion.
Two of the vulnerabilities, tracked as CVE-2024-45274 and CVE-2024-45275, have been assigned ‘critical’ severity ratings. They can be exploited by unauthenticated, remote hackers to execute arbitrary OS commands (due to missing authentication) and take complete control of an affected device (via hardcoded credentials).
Three mbNET.mini security holes have been assigned a ‘high’ severity rating based on their CVSS score. Their exploitation can lead to privilege escalation and information disclosure, and while all of them can be exploited without authentication, two of them require local access.
The vulnerabilities were found by Abrell in the mbNET.mini router, but separate advisories published last week by CERT@VDE indicate that they also impact Helmholz’s REX100 industrial router, and two vulnerabilities affect other Helmholz products as well.
It seems that the Helmholz REX 100 router and the mbNET.mini use the same vulnerable code — the devices are visually very similar so the underlying hardware and software may be the same.
Abrell told SecurityWeek that the vulnerabilities can in theory be exploited directly from the internet if certain services are exposed to the web, which is not recommended. It’s unclear if any of these devices are exposed to the internet.
For an attacker who has physical or network access to the targeted device, the vulnerabilities can be very useful for attacking industrial control systems (ICS), as well as for obtaining valuable information.
“For example, an attacker with brief physical access — such as quickly inserting a prepared USB stick by passing by — could fully compromise the device, install malware, or remotely control it afterward,” Abrell explained. “Similarly, attackers who access certain network services can achieve full compromise, although this heavily depends on the network’s security and the device’s accessibility.”
“Additionally, if an attacker obtains encrypted device configurations, they can decrypt and extract sensitive information, such as VPN credentials,” the researcher added. “These vulnerabilities could therefore ultimately allow attacks on industrial systems behind the affected devices, like PLCs or neighboring network devices.”
SySS has published its own advisories for each of the vulnerabilities. Abrell commended the vendor for its handling of the flaws, which have been addressed in what he described as a reasonable timeframe.
The vendor reported fixing six of seven vulnerabilities, but SySS has not verified the effectiveness of the patches.
Helmholz has also released an update that should patch the vulnerabilities, according to CERT@VDE.
“This is not the first time we have discovered such critical vulnerabilities in industrial remote maintenance gateways,” Abrell told SecurityWeek. “In August, we published research on a similar security analysis of another manufacturer, revealing extensive security risks. This suggests that the security level in this field remains insufficient. Manufacturers should therefore subject their systems to regular penetration testing to increase the system security.”
Related: OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks
Related: Remote Code Execution, DoS Vulnerabilities Patched in OpenPLC
Related: Milesight Industrial Router Vulnerability Possibly Exploited in Attacks