Several Vulnerabilities in Bosch B426, B426-CN/B429-CN, and B426-M

Advisory Information

• Advisory ID: BOSCH-SA-196933-BT
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2021-23845
    • Base Score: 8.0 (High)
  • CVE-2021-23846
    • Base Score: 8.8 (High)
• Published: 28 May 2021
• Last Updated: 03 Feb 2023

Summary

A security vulnerability affects the Bosch B426, B426-CN/B429-CN, and B426-M. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 8.0 (High) and recommends customers to update vulnerable components with fixed software versions.

A second vulnerable condition was found when using http protocol, in which the user password is transmitted as a clear text parameter. Latest firmware versions allow only https.

If a software update is not possible in a timely manner, a reduction in the systems network exposure is advised. Internet-accessible systems should be firewalled. Additional protective steps like network isolation by VLAN.

These vulnerabilities were reported by Chizuru Toyama of TXOne IoT/ICS Security Research Labs of Trend Micro.

Impact

Under certain circumstances, a malicious or unintended user could gain access to the B426 web server and access the configuration pages without needing to enter login credentials.

Affected Products

• Bosch B426 Firmware
  • CVE-2021-23845
    • Version(s): < 03.08
• Bosch B426-CN/B429- CN Firmware
  • CVE-2021-23845
    • Version(s): < 03.08
• Bosch B426-M Firmware
  • CVE-2021-23845
    • Version(s): < 03.10
• Bosch B426 Firmware
  • CVE-2021-23846
    • Version(s): 03.01.0004
    • Version(s): 03.02.002
    • Version(s): 03.03.0009
    • Version(s): 03.05.0003

Solution and Mitigations

Software Updates

The recommended approach is to update the software of affected Bosch products to a fixed version. If an update is not possible in a timely manner, the mitigation approaches Firewalling and IP Filtering can be utilized. A list of affected and fixed firmware versions is available in the “Affected Products” section of this document. A fixed B426, B426-CN/B429-CN and B426-M versions are available on the Bosch Product Catalog

Firewalling (Network)

It is advised that the devices should not be exposed directly to the internet or other insecure networks. This includes port-forwarding, which would not protect devices adequately. Firewalling a device significantly reduces its attack surface.

Other

Ensure that the "Web and Automation Security" setting for the B426 is enabled.

Vulnerability Details

CVE-2021-23845

CVE description: This vulnerability could allow an attacker to hijack a session while a user is logged in the configuration web page. This vulnerability was discovered by a security researcher in B426 and found during internal product tests in B426-CN/B429-CN, and B426-M and has been fixed already starting from version 3.08 on, which was released on June 2019.

• Problem Type:
  • CWE-284 Improper Access Control
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
  • Base Score: 8.0 (High)

CVE-2021-23846

CVE description: When using http protocol, the user password is transmitted as a clear text parameter for which it is possible to be obtained by an attacker through a MITM attack.

This will be fixed starting from Firmware version 3.11.5, which will be released on the 30th of June, 2021.

• Problem Type:
  • CWE-319 Cleartext Transmission of Sensitive Information
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Base Score: 8.8 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] B426 and B426CN Download Area: https://commerce.boschsecurity.com/us/en/B426-Conettix-Ethernet-Communication-Modules/p/F.01U.324.383/
• [2] B426-M Download Area: https://commerce.boschsecurity.com/au/en/B426-Conettix-Ethernet-Communication-Modules/p/F.01U.332.307/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 03 Feb 2023: Links to the download area were added
• 28 May 2021: Initial Publication