Skip to main

Vulnerability in Wiegand card data interpretation

BOSCH-SA-391095-BT

Advisory Information

  • Advisory ID: BOSCH-SA-391095-BT
  • CVE Numbers and CVSS v3.1 Scores:
  • Published: 24 May 2023
  • Last Updated: 24 May 2023

Summary

Bosch Access Control products AMC2-4WCF and AMC2-2WCF have a firmware bug which may lead to misinterpretation of access card data that is sent from a Wiegand reader. This may in turn lead to granting physical access to an unauthorized person. This vulnerability affects only products with Wiegand interface, i.e., not devices with OSDP / RS485 interface.

Affected Products

  • Bosch AMS
    • CVE-2023-32228
      • Version(s): <= 5.0
  • Bosch BIS
    • CVE-2023-32228
      • Version(s): <= 4.9.2

Solution and Mitigations

Software Updates

The recommended approach is to update the software to a fixed version as soon as possible. Firmware for Bosch AMC2 reader controllers is rolled out automatically by the update mechanism of the access management system, i.e. the Access Management System (AMS) and Building Integration System (BIS) respectively.

  • BIS: update BIS installation to version BIS 5.0 (build id BIS_5.0.21100.0). This version comes with a fixed firmware for the AMC2 reader controllers. The update mechanism of the BIS will automatically roll out the firmware to all attached AMC2 reader controllers.

  • AMS: First, update AMS installation to version AMS 5.0.1 (build id AMS_5.1.7.0). Then apply "Patch for CVE-2023-32228" (filename LCMV3772_v02.39.01_Wiegand.zip, TFS #389156). Follow the instructions in the Readme of the patch. The update mechanism of the AMS will automatically roll out the firmware to all attached AMC2 reader controllers.

Please check the Appendix for a list of versions numbers for each affected product.

Mitigation

Bosch has not identified any mitigating factors for this vulnerability.

Vulnerability Details

CVE-2023-32228

CVE description: A firmware bug which may lead to misinterpretation of data in the AMC2-4WCF and AMC2-2WCF allowing an adversary to grant access to the last authorized user.

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 24 May 2023: Initial Publication

Appendix

Fixes for the Affected Products

Products are only affected if their are used in a configuration with Wiegand access controllers, i.e. not access controllers with OSDP / RS485.

Access Management System (AMS)

Affected AMS versions Version or patch that fixes the vulnerability
4.0
Update to AMS 5.0.1 and apply "Patch for CVE-2023-32228"
5.0
Update to AMS 5.0.1 and apply "Patch for CVE-2023-32228"

Building Integration System (BIS)

Affected BIS versions Version or patch that fixes the vulnerability
4.9
BIS_5.0.21100.0
4.9.1
BIS_5.0.21100.0
4.9.2
BIS_5.0.21100.0

Affected material

Materials are only affected if their are used in a configuration with Wiegand access controllers, i.e. not access controllers with OSDP / RS485.

AMC Reader Controllers / Reader Extensions

Please notice that firmware for Bosch AMC2 reader controllers is rolled out automatically after an update of the access management system, i.e. the Access Management System (AMS) and Building Integration System (BIS) respectively.

Family Name CTN Material Description
AMC Access Modular Controller
APC-AMC2-2WCF
AMC2 Doorcontroller WI, 2 readers
AMC Access Modular Controller
APC-AMC2-2WCF
AMC2 Doorcontroller WI, 2 readers - CE only
AMC Access Modular Controller
APC-AMC2-4WCF
AMC2 Doorcontroller 4 Wiegand with CF Card
AMC Access Modular Controller
APC-AMC2-4WCF
AMC2 Doorcontroller 4 Wiegand with CF Card - CE only
AMC Access Modular Controller
API-AMC2-4WE
AMC2 Doorcontr.-extension WiegandIF
AMC Access Modular Controller
API-AMC2-4WE
AMC2 Doorcontr.-extension WiegandIF - CE only

Access Management System (AMS)

Family Name CTN SAP# Material Description
AMS Professional
AMS-BPRO
F.01U.406.338
License Professional base
AMS Plus
AMS-BPLU
F.01U.406.305
License Plus base
AMS Lite
AMS-BLIT
F.01U.406.304
License Lite base
Access Management System 4.0
AMS-BASE-LITE40
F.01U.395.556
Lite license
Access Management System 4.0
AMS-BASE-PLUS40
F.01U.395.557
Plus license
Access Management System 4.0
AMS-BASE-PRO40
F.01U.395.558
Pro license

Building Integration System (BIS)

Family Name CTN SAP# Material Description
BIS 4.9
BIS-BASE-PLUS49
F.01U.395.599
Plus license (bundle)
BIS 4.9
BIS-BGEN-B49
F.01U.395.600
Basic license
BIS 4.9
BIS-BGEN-BAS49
F.01U.395.601
Basic license without alarm documents
BIS 4.8
BIS-BASE-PLUS48
F.01U.386.749
Plus license (bundle)
BIS 4.8
BIS-BGEN-B48
F.01U.386.750
Basic license
BIS 4.8
BIS-BGEN-BAS48
F.01U.392.550
Basic license without alarm documents
BIS 4.7
BIS-BASE-PLUS47
F.01U.363.006
Plus license (bundle)
BIS 4.7
BIS-BGEN-B47
F.01U.363.007
Basic license
BIS 4.7
BIS-BGEN-BAS47
F.01U.363.008
Basic license without alarm documents