Open Port 8899 in BCC Thermostat Product

Advisory Information

• Advisory ID: BOSCH-SA-473852
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2023-49722
    • Base Score: 8.3 (High)
• Published: 09 Jan 2024
• Last Updated: 09 Jan 2024

Summary

A network port 8899 is always open in BCC101/BCC102/BCC50 thermostat products, which allows an un-authencated connection from a local WiFi network.

Affected Products

• Bosch BCC101
  • CVE-2023-49722
    • Version(s): 4.13.20 - v4.13.33 (excluding)
• Bosch BCC102
  • CVE-2023-49722
    • Version(s): 4.13.20 - v4.13.33 (excluding)
• Bosch BCC50
  • CVE-2023-49722
    • Version(s): 4.13.20 - v4.13.33 (excluding)

Solution and Mitigations

Software Update

A fix has been made in new WiFi firmware 4.13.33 by closing the port 8899, which was used for the WiFi module development debugging purpose. The new firmware v4.13.33 has been updated to the customer field devices in Oct 2023.

Vulnerability Details

CVE-2023-49722

CVE description: Network port 8899 open in WiFi firmware of BCC101/BCC102/BCC50 products, that allows an attacker to connect to the device via same WiFi network.

• Problem Type:
  • CWE-1125 Excessive Attack Surface
• CVSS Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
  • Base Score: 8.3 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Bosch Wi-Fi Thermostats Product page: https://www.bosch-homecomfort.com/us/en/ocs/residential/wi-fi-thermostats-1098978-c/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 09 Jan 2024: Initial Publication

Appendix

Not impacted devices

BCC100 thermostat is not impacted by this issue as it uses a different WiFi module.