Insecure authentication in B420 legacy communication module

Advisory Information

• Advisory ID: BOSCH-SA-341298-BT
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2022-47648
    • Base Score: 7.6 (High)
• Published: 26 Apr 2023
• Last Updated: 26 Apr 2023

Summary

An authentication vulnerability was found in the B420 Ethernet communication module from Bosch Security Systems. This is a legacy product which is currently obsolete and was announced to reach End on Life (EoL) on 2013.  The B420 was last sold in July 2013 and was replaced by the B426. An EoL notice was provided to customers.

The B420 does not allow for direct access to the panel as this module does not allow direct connection to the SDI/Option Bus that communicates directly with the panel. __ However, customers that are still using this device are advised to replace it for the B426 to ensure it is connected in a secure network.

Affected Products

• Bosch B420
  • CVE-2022-47648
    • Version(s): All Versions

Solution and Mitigations

Upgrade to Sate of the Art successor

Customers are advised to upgrade to the B426 module.

Mitigation

In case you cannot immediately replace this device, it is strongly advised to deploy a secure network infrastructure to prevent unauthorized actors from accessing the device.

Network administrators should implement security measures according to the applicable laws, regulations and industry best practices as listed below but not limited to:

• Segment and segregate networks.

• Do not expose device directly to the internet

• Limit access to the device to trusted employees only that are required to access the device

• Frequently monitor the network and review logs of the device

Vulnerability Details

CVE-2022-47648

CVE description: An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013).

• Problem Type:
  • CWE-284 Improper Access Control
• CVSS Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
  • Base Score: 7.6 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 26 Apr 2023: Initial Publication