Denial of Service in Rexroth ActiveMover using Profinet protocol

Advisory Information

• Advisory ID: BOSCH-SA-637429
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2021-20986
    • Base Score: 7.5 (High)
• Published: 31 Mar 2021
• Last Updated: 26 Jan 2022

Summary

The ActiveMover with Profinet communication module (Rexroth no. 3842 559 445) sold by Bosch Rexroth contains communication technology from Hilscher (PROFINET IO Device V3) in which a vulnerability with high severity has been discovered. A Denial of Service vulnerability may lead to unexpected loss of cyclic communication or interruption of acyclic communication.

The vulnerability only affects ActiveMover with the Profinet communication module with firmware version below 3.0.32.x. If the product is used in closed (machine) networks with no access to the internet the risk of the vulnerability is very low.

The ActiveMover has a network coupler with a Hilscher protocol stack. This Hilscher protocol stack (PROFINET IO Device V3) does not properly limit available resources when handling Read Implicit Request services, depending on the content of the request. This may lead to shortage of resources so that the affected device

• can no longer perform acyclic requests

• may drop all established cyclic connections

• may disappear completely from the network

Affected Products

• Rexroth ActiveMover with firmware version < 3.0.32.x with configuration: ‘using Profinet communication module (Rexroth no. 3842 559 445)’

Solution and Mitigations

Closed (machine) network

There is actually no workaround. However, Bosch Rexroth recommends to operate the product in a closed (machine) network with no access to the internet and implement the following measure:

• Minimize network exposure and ensure that the products are not accessible via the Internet.

• Network segmentation/ Firewall: Isolate affected products from the corporate network.

• If remote access is required, use secure methods such as virtual private networks (VPNs).

With these measures the risk of the vulnerability is very low.

Vulnerability Details

CVE-2021-20986

The ActiveMover has a network coupler with a Hilscher protocol stack. This Hilscher protocol stack (PROFINET IO Device V3) does not properly limit available resources when handling Read Implicit Request services, depending on the content of the request. This may lead to shortage of resources so that the affected device

• can no longer perform acyclic requests

• may drop all established cyclic connections

• may disappear completely from the network

CVE description: A Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7. This may lead to unexpected loss of cyclic communication or interruption of acyclic communication.

• Problem Type:
  • CWE-787 Out-of-bounds Write
• CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Base Score: 7.5 (High)

Remark

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Hilscher Security Advisory: https://kb.hilscher.com/display/ISMS/2020-12-03+Denial+of+Service+vulnerability+in+PROFINET+IO+Device

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 26 Jan 2022: Add firmware version
• 31 Mar 2021: Initial Publication