Command Injection in Bosch Network Synchronizer

Advisory Information

• Advisory ID: BOSCH-SA-152190-BT
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2024-25002
    • Base Score: 8.8 (High)
• Published: 20 Mar 2024
• Last Updated: 24 Apr 2024

Summary

A Command Injection vulnerability has been uncovered in the diagnostics interface of the Bosch Network Synchronizer. This vulnerability allows unauthorized users full access to the device.

Affected Products

• Bosch Network Synchronizer Enterprise
  • CVE-2024-25002
    • Version(s): < 9.30
• Bosch Network Synchronizer Standard
  • CVE-2024-25002
    • Version(s): < 9.30

Solution and Mitigations

Solution: Software Update

Upgrade the Bosch Network Synchronizer to version 9.30 or higher.

• The 9.30 or higher OMNEO Firmware Upload Tool is required to perform the update

  • The 9.30 or higher OMNEO Firmware Upload Tool can be found at the same download link as mentioned in this advisory

  • Refer to the Appendix for detailed guidelines on performing the update

• Please check the version in the OMNEO Firmware Upload Tool after the update, it should read the updated version

Mitigation 1: Disable diagnostics interface

Disabling the diagnostics interface prevents the vulnerability from being available for misuse in older versions. Disabling the diagnostics interface can be done using the OMNEO ARNI Configuration Tool. Refer to the document ARNI Disable Diagnostics Interface (which can be found at the same download link as mentioned in this advisory) for detailed instructions on how to disable the interface. Note that the diagnostics interface is disabled by default.

The mitigation is fully effective since it completely removes the vulnerability from being available. Executing the software update will completely remove the vulnerability from the product, it is therefore advised to plan in a software update. It is however acceptable to defer an update to a next maintenance period if this mitigation can be executed.

Mitigation 2: Do not connect directly to the Internet and protect the local network

Isolating the Bosch Network Synchronizer from the Internet and protecting the local network from unauthorized access ensures that the vulnerability cannot be misused. Executing the software update will completely remove the vulnerability from the product, it is therefore advised to plan in a software update. It is however acceptable to defer an update to a next maintenance period if this mitigation can be executed.

Vulnerability Details

CVE-2024-25002

CVE description: Command Injection in the diagnostics interface of the Bosch Network Synchronizer allows unauthorized users full access to the device.

• Problem Type:
  • CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Base Score: 8.8 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Software Download Catalog: https://licensing.boschsecurity.com/omneo

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 24 Apr 2024: Updated to indicate 9.30 or higher
• 20 Mar 2024: Initial Publication

Appendix

Material list

Update Procedure

• Install the 9.30 or higher Firmware Upload Tool and the 9.30 or higher ARNI Firmware

• Check the current ARNI version by running the Firmware Upload Tool

• If the current ARNI version is < 8.40 update the ARNI Configuration Tool to version 8.40 (the 8.40 version can be found via the software download catalog link)

• Run the Firmware Upload Tool and update the ARNI device(s)

  • In case of multiple ARNI devices execute the upload one ARNI at a time (one by one)

  • The Firmware Upload Tool contains help documentation which explains how to execute an update of a device

• If the current ARNI version was < 8.40 run the 8.40 ARNI Configuration Tool and load the configuration file of the system

  • If no configuration file is present it can be created using the 'Restore network configuration from ARNIs' option in the File menu; provide the IP address of the main ARNI of the system to recover the configuration and then save the network configuration using the ARNI Configuration Tool

  • The diagnostics interface will have been disabled, even if it was enabled before

  • Note that the diagnostics interface can now only be enabled by enabling 'Use secure connections' in the Security menu that can be found in the File menu

Troubleshooting