CVE-2022-22520 An attacker can enumerate valid users by sending specific requests to the webservices MB connect, mbCONNECT24, and Helmholz myREX24 and myREX24.virtual v2.11.2.

The request can look like this:

GET /v2.11.2/mymbCONNECT/users/validate?password=password&ip=IP Address of the device>&client=mymbCONNECT&ws=helmholz1.nnnn.nnn

GET /v2.11.2/mymbCONNECT/users/validate?password=password&ip=IP Address of the device>&client=mymbCONNECT&ws=helmholz2.nnnn.nnn

GET /v2.11.2/mymbCONNECT/users/validate?password=password&ip=IP Address of the device>&client=mymbCONNECT&ws=helmholz3.nnnn.nnn
The request will return all users with their names and email addresses, if user credentials are stored in the device.

Stealing Login Credentials from API Calls

If you use APIs from companies like mymbCONNECT, it's possible for someone to steal login credentials. You can protect yourself by making sure the device is locked with a PIN or password before an API call is made. This will also ensure that there are no unauthorized users accessing your data on your device.

Command and Control (C&C) Traffic

A serious vulnerability in the MymbConnect application found by researchers at Kaspersky caused a rise of more than 1,000 times the traffic to malicious domains. The flaw was present in all versions of the app and can be exploited by sending a specially crafted request.

Timeline

Published on: 09/14/2022 14:15:00 UTC
Last modified on: 09/20/2022 10:15:00 UTC

References

• https://cert.vde.com/en/advisories/VDE-2022-039
• https://cert.vde.com/en/advisories/VDE-2022-011
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22520