Critical Vulnerabilities Found in Industrial Routers

Executive Summary

On October 15, 2024, CERT@VDE released an advisory for a vulnerable industrial router produced by MB Connect Line. [3] The mbNET.mini router, produced by MB Connect Line, is a VPN gateway with integrated security features allowing for secure remote access to industrial control systems (ICSs). However, the vulnerabilities discovered on the device would allow attackers to take over the device remotely making the vulnerabilities particularly worrisome. A security patch has been released for the device by MB Connect Line to address the vulnerabilities.

Background

CERT@VDE is a German based IT security platform that is also a CVE Number Authority. According to the CVE website a CVE Numbering Authority is, “An authorized entity with specific scope and responsibility to regularly assign CVE IDs and publish corresponding CVE Records.” [2] The vulnerabilities were found and reported to CERT@VDE by Moritz Abrell, from the German penetration testing company SySS GmbH. The vulnerabilities found include missing authentication for a critical function, use of hard-coded credentials, improper input validation, weak encoding for passwords, and files or directories accessible to external parties. [1]

Vulnerabilities

Out of the vulnerabilities reported, the missing authentication for a critical function and use of hard-coded credentials were rated as the most severe with Common Vulnerability Scoring System (CVSS) severity ratings of 9.8. Improper input validation and weak encoding for password scored a less severe 8.4 and the files or directories accessible to external parties being the least severe with a score of 7.5.

Missing authentication of a critical function allows attackers to remotely execute commands on the device without ever having to authenticate. Even though the device has security features built in, attackers would effectively circumvent any controls meant to keep malicious actors out. Hard coded credentials are also a major concern as attackers could pose as legitimate users using the credentials on the device which would make intrusion harder to detect. Users could gain admin privileges locally using a config file due to the improper input validation vulnerability. The config file containing passwords is encrypted, but due to the weak encoding for passwords attackers could decrypt the passwords if they were to obtain the config file. Lastly, the files or directories accessible to external parties allows attackers to gain read privileges to the temporary file directory without ever authenticating.

Conclusion

Organizations may do their best to ensure devices have adequate security controls, but these vulnerabilities really show the importance of a defense in depth strategy and applying security patches as often as possible. Even though the mbNET.mini router features an integrated firewall and claims to offer a secure way to remotely access it, these vulnerabilities could have made all those security controls useless. [4] Attackers never rest, always looking for any vulnerability to gain even the smallest foothold. Organizations must do their best to avoid complacency and constantly monitor their systems.

References

1. CERT@VDE. (2024). MB connect line: Multiple Vulnerabilities in mbNET.mini Product. CERT@VDE. https://certvde.com/en/advisories/VDE-2024-056/
2. (n.d.). Glossary. CVE.https://www.cve.org/ResourcesSupport/Glossary#glossaryCNA
3. Kovacs, E. (2024). Critical Vulnerabilities Expose mbNET.mini, Helmholz Industrial Routers to Attacks. SecurityWeek. https://www.securityweek.com/critical-vulnerabilities-expose-mbnet-mini-helmholz-industrial-routers-to-attacks/
4. MB Connect Line. (n.d.). min The Small Industry Router. MB Connect Line. https://mbconnectline.com/mbnet-mini-en/