Skip to main

Command Injection in Bosch Network Synchronizer

BOSCH-SA-152190-BT

Advisory Information

  • Advisory ID: BOSCH-SA-152190-BT
  • CVE Numbers and CVSS v3.1 Scores:
  • Published: 20 Mar 2024
  • Last Updated: 20 Mar 2024

Summary

A Command Injection vulnerability has been uncovered in the diagnostics interface of the Bosch Network Synchronizer. This vulnerability allows unauthorized users full access to the device.

Affected Products

  • Bosch Network Synchronizer Enterprise
    • CVE-2024-25002
      • Version(s): < 9.30
  • Bosch Network Synchronizer Standard
    • CVE-2024-25002
      • Version(s): < 9.30

Solution and Mitigations

Solution: Software Update

Upgrade the Bosch Network Synchronizer to version 9.30.52153 (installer version 9.30.52302).

  • The 9.30 OMNEO Firmware Upload Tool is required to perform the update

    • The 9.30 OMNEO Firmware Upload Tool can be found at the same download link as mentioned in this advisory

    • Refer to the Appendix for detailed guidelines on performing the update

  • Please check the version in the OMNEO Firmware Upload Tool after the update, it should read 9.30

Mitigation 1: Disable diagnostics interface

Disabling the diagnostics interface prevents the vulnerability from being available for misuse in older versions. Disabling the diagnostics interface can be done using the OMNEO ARNI Configuration Tool. Refer to the document ARNI Disable Diagnostics Interface (which can be found at the same download link as mentioned in this advisory) for detailed instructions on how to disable the interface. Note that the diagnostics interface is disabled by default.

The mitigation is fully effective since it completely removes the vulnerability from being available. Executing the software update will completely remove the vulnerability from the product, it is therefore advised to plan in a software update. It is however acceptable to defer an update to a next maintenance period if this mitigation can be executed.

Mitigation 2: Do not connect directly to the Internet and protect the local network

Isolating the Bosch Network Synchronizer from the Internet and protecting the local network from unauthorized access ensures that the vulnerability cannot be misused. Executing the software update will completely remove the vulnerability from the product, it is therefore advised to plan in a software update. It is however acceptable to defer an update to a next maintenance period if this mitigation can be executed.

Vulnerability Details

CVE-2024-25002

CVE description: Command Injection in the diagnostics interface of the Bosch Network Synchronizer allows unauthorized users full access to the device.

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 20 Mar 2024: Initial Publication

Appendix

Material list

Name CTN SAP#
Bosch Network Synchronizer Enterprise
OMN-ARNIE
F.01U.311.136
Bosch Network Synchronizer Standard
OMN-ARNIS
F.01U.311.135

Update Procedure

  • Install the 9.30 Firmware Upload Tool and the 9.30 ARNI Firmware

  • Check the current ARNI version by running the Firmware Upload Tool

  • If the current ARNI version is < 8.40 update the ARNI Configuration Tool to version 8.40 (the 8.40 version can be found via the software download catalog link)

  • Run the Firmware Upload Tool and update the ARNI device(s)

    • In case of multiple ARNI devices execute the upload one ARNI at a time (one by one)

    • The Firmware Upload Tool contains help documentation which explains how to execute an update of a device

  • If the current ARNI version was < 8.40 run the 8.40 ARNI Configuration Tool and load the configuration file of the system

    • If no configuration file is present it can be created using the 'Restore network configuration from ARNIs' option in the File menu; provide the IP address of the main ARNI of the system to recover the configuration and then save the network configuration using the ARNI Configuration Tool

    • The diagnostics interface will have been disabled, even if it was enabled before

    • Note that the diagnostics interface can now only be enabled by enabling 'Use secure connections' in the Security menu that can be found in the File menu

Troubleshooting

Issue Possible cause Resolution
The diagnostics interface no longer seems reachable after the upload
1. The diagnostics interface is turned off after the update

2. The diagnostics interface is trying to be reached via http (e.g. using 'http://<IP address>' or '<IP address>' in the browser address bar)
1. Run the ARNI Configuration Tool, open the network configuration and enable the diagnostics interface for the ARNI(s)

2. The diagnostics interface uses https after the update, use 'https://<IP address of ARNI>' to reach the diagnostics interface
The firmware update of the ARNI fails
Typically this is caused by network issues in combination with the current version the ARNI is running.
Restart the Firmware Upload Tool, check if the ARNI is shown and restart the upload. If the ARNI is not shown power cycle the ARNI, wait a few minutes and restart the Firmware Upload Tool.
The progress of the upload is shown for a different ARNI than the one for which the upload was started.
This is a known issue of the Firmware Upload Tool when running in the same subnet as a redundant ARNI pair.
Just have the upload continue and finish, the correct ARNI is being uploaded. When the upload is done it is advised to restart the Firmware Upload Tool to reset the GUI so that the version check can be executed.