Security gaps found in MBConnect’s industrial remote access offering

OTORIO announced that its penetration testers had detected over 20 critical security flaws in the industrial remote access offering from MB connect line GmbH. The presence of these loopholes enables attackers to infiltrate the operational technology (OT) environment, and attempt to shut down industrial production floors, break into company networks, tamper with data, and steal sensitive business information.

During the penetration testing process, OTORIO found that some of the identified security vulnerabilities can be exploited by unauthenticated users, while others require authentication. The team managed to take over the mbConnect24 servers and gained full access to information stored on those servers, including customer-sensitive information and sensitive MBConnect data such as source code. Taking over the mbConnect24 servers is one of several potential attack techniques found by the team, OTORIO said.

The Cybersecurity and Infrastructure Security Agency (CISA) found that the security gaps could allow a remote attacker to gain unauthorized access to arbitrary information or allow remote code execution.

Identified security vulnerabilities include improper privilege management, server-side request forgery (SSRF), cross-site scripting, uncontrolled resource consumption, open redirect, insecure default initialization of resource, PHP remote file inclusion, use of hard-coded credentials, exposure of sensitive information to an unauthorized hacker, and files or directories accessible to external parties.

The weaknesses prevail in MBConnect’s mymbCONNECT24 v2.6.1 and prior versions, and mbCONNECT24 v2.6.1 and earlier versions, deployed in the critical manufacturing sector. The German company recommends users update mymbCONNECT24 and mbCONNECT24 to version 2.71 or higher to mitigate many of these vulnerabilities.

Hackers can exploit the MBConnect vulnerabilities to cause severe damage, including blocking industrial remote access to hundreds of different MBConnect customers’ production floors by causing a denial of service in MBConnect devices, OTORIO said in a blog post. They also can pilfer sensitive customer information and personal data, and access MBConnect’s sensitive data, including source code, SQL files, and script files.

Cyberattackers can also potentially control web pages in the MBConnect’s website, facilitating targeted phishing attacks, in addition to trying to steal user credentials of MBConnect, according to the Tel Aviv, Israel based company. They can use the stolen credentials, together with additional detected vulnerabilities, to connect to customer’s production floors and cause severe damage, even causing loss of life.

Industrial remote access has played a role in a number of recent cybersecurity incidents. Following the Oldsmar water plant hack, security experts disclosed that the software could have been compromised, after acknowledging that an operator machine had a remote access software package – TeamViewer – installed and accessible to the internet. This led to manipulation of plant control set points for the dosing rate of sodium hydroxide in the water.

Last month, industrial cybersecurity company Claroty detected a severe vulnerability that affects communications between Rockwell Automation programmable logic controllers (PLCs) and engineering stations. Exploiting the flaw enables an attacker to remotely connect to almost any of the company’s Logix PLCs, and upload malicious code, download information from the PLC, or install new firmware.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.