Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual

Plan Patch8.8VDE-2023-008May 15, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Two vulnerabilities in myREX24 and myREX24.virtual through version 2.13.3 allow an authenticated user to escalate privileges and reset the administrator password through authorization flaws (CWE-639, CWE-863). An attacker with valid non-admin credentials can exploit these issues to gain administrative control of the controller. The vulnerabilities are corrected in version 2.13.4.

What this means

What could happen

An authenticated attacker could gain administrative control of myREX24 controllers and modify process configurations, potentially disrupting plant operations, altering I/O mappings, or changing setpoints on connected equipment.

Who's at risk

Water and wastewater utilities, power generation facilities, and industrial manufacturers using Helmholz myREX24 controllers or myREX24.virtual software for programmable logic control and I/O management. This affects any facility relying on these controllers for process automation and equipment control.

How it could be exploited

An attacker with valid user credentials (not admin level required) could exploit authorization flaws to escalate privileges and reset the admin password. If multi-factor authentication is not enabled on the admin account, the attacker could then log in as administrator and execute arbitrary configuration changes on the controller or virtual instance.

Prerequisites

Valid user credentials (non-admin) for the myREX24 interface
Network access to the web interface or management port of the controller
Multi-factor authentication disabled on the admin account (for full exploitation)

Remotely exploitableLow complexity attackAffects industrial control systemsRequires valid credentials but privilege escalation possible

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

myREX24 <=2.13.3≤ 2.13.32.13.4

myREX24.virtual <=2.13.3≤ 2.13.32.13.4

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDEnable multi-factor authentication on all admin accounts immediately as a compensating control

HARDENINGRestrict network access to the myREX24 management interface to trusted engineering workstations and control network subnets only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate myREX24 and myREX24.virtual to version 2.13.4 or later

CVEs (2)

CVE-2023-0985 CVE-2023-1779

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e3bfa787-1134-499e-a633-118e2ef79aed