RPS and RPS-LITE operator and communication process vulnerabilities.
BOSCH-SA-099637-BT
Advisory Information
- Advisory ID: BOSCH-SA-099637-BT
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2023-49263
- Base Score: 7.3 (High)
- CVE-2023-49264
- Base Score: 6.8 (Medium)
- CVE-2023-49265
- Base Score: 6.8 (Medium)
- CVE-2023-49266
- Base Score: 6.8 (Medium)
- CVE-2023-49267
- Base Score: 5.1 (Medium)
- CVE-2023-49263
- Published: 13 Mar 2024
- Last Updated: 13 Mar 2024
Summary
Security vulnerabilities related to password use, management and communication processes in RPS and RPS-LITE introduce potential for a malicious user to compromise the software. Bosch recommends to update to the latest version as soon as possible.
Affected Products
- Bosch Remote Programing Software (RPS Lite) on: Windows Operating systems
- CVE-2023-49263, CVE-2023-49264, CVE-2023-49265, CVE-2023-49266, CVE-2023-49267
- Version(s): < 6.14.100
- CVE-2023-49263, CVE-2023-49264, CVE-2023-49265, CVE-2023-49266, CVE-2023-49267
- Bosch Remote Programing Software (RPS) on: Windows Operating systems
- CVE-2023-49263, CVE-2023-49264, CVE-2023-49265, CVE-2023-49266, CVE-2023-49267
- Version(s): < 6.14.100
- CVE-2023-49263, CVE-2023-49264, CVE-2023-49265, CVE-2023-49266, CVE-2023-49267
Solution and Mitigations
Software Update
To resolve potential exploits, update the affected Bosch software to RPS / RPS-LITE v6.14.100 and higher.
Vulnerability Details
CVE-2023-49263
CVE description: Secure login and storage processes during RPS/RPS-LITE Operator login has potential for malicious actor to compromise.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
- Base Score: 7.3 (High)
CVE-2023-49264
CVE description: RPS/RPS-LITE communication processes has potential for malicious actor to access and view communications.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
- Base Score: 6.8 (Medium)
CVE-2023-49265
CVE description: RPS/RPS-LITE operator account storage processes has potential for malicious actor to compromise.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Base Score: 6.8 (Medium)
CVE-2023-49266
CVE description: RPS/RPS-LITE file export processes has potential for malicious actor to access the exported file.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Base Score: 6.8 (Medium)
CVE-2023-49267
CVE description: RPS/RPS-LITE operator credential minimum criteria has potential for malicious actor to compromise.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Base Score: 5.1 (Medium)
Remarks
Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] RPS download page - Software (RPS v6.14.100): https://commerce.boschsecurity.com/us/en/Remote-Programming-Software/p/2595124747/
- [2] RPS Lite download page - Software (RPS-LITE v6.14.100): https://commerce.boschsecurity.com/us/en/Remote-Programming-Software-LITE/p/2596032779/
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 13 Mar 2024: Initial Publication