Summary

Independent researcher Maxim Rupp identified a vulnerability in the web-based interfaces of Access Easy Controller (AEC). Access Easy Controller uses the gSOAP service to retrieve the real-time event, and the sensor status for the client browsers. If a malicious user gets to know the SOAP endpoint URL, they will be able to access the AEC resources using the SOAP API interface without user authorization.

Affected Products

Access Easy Controller 2.1

Solution

To fix this issue in Access Easy Controller, a token-based handshake mechanism is introduced between the client and AEC server. If the user wants to get AEC real-time events and I/O status, the user must login with a valid credential to the web client. Without it, SOAP services access will be denied for this request. After successful login into the web client, if the user wants to access the AEC real-time events and I/O status via SOAP API using third-party application, the user has to send the SOAP request with the AEC server generated token, session code and the SOAP request must come from the same IP address from the current web client logged in. If there is a mismatch, the AEC server will send the SOAP error for the SOAP service request. The AEC server token will be refreshed and a new token will be generated in a predefined interval based on the web client request. If any web client request comes with the expired token, then the server will reject the SOAP service request. Once the current logged-in user has logged out from the AEC server, the SOAP service resource access will be denied. Firmware AEC 2.1.9.3 that fixes this vulnerability was released on 1 Nov 2018.

CVSSv3 Base Score

Improper Authentication Vulnerability: 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L Vulnerability classification has been performed using the CVSSv3 scoring system http://www.first.org/cvss/. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Bosch thanks Maxim Rupp for identifying the vulnerability and working with Bosch.

Additional Resources

  1. Patch download
  2. Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com.

Revision History

03 Dec 2018: Initial Publication