Skip to main

Multiple vulnerabilities in Nexo cordless nutrunner

BOSCH-SA-711465

Advisory Information

Summary

The Nexo cordless nutrunner running NEXO-OS V1500-SP2 has some vulnerabilities which allows an attacker:

  • to read/upload/download/delete arbitrary files in all paths of the system,

  • to inject and execute arbitrary client-side script code, arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim’s session,

  • to authenticate to the web application with high privileges or SSH service with root privileges through multiple hidden hard-coded accounts,

  • to read or update arbitrary content of the authentication or results database,

  • to perform a Denial-of-Service (DoS) attack or, possibly, obtain Remote Code Execution (RCE),

  • to upload a malicious file to the SD card containing arbitrary client-side script code and obtain its execution inside a victim’s session,

  • to access sensitive data inside exported packages or obtain up to Remote Code Execution (RCE) with root privileges on the device,

  • to send malicious network requests containing arbitrary client-side script code and obtain its execution inside a victim’s session,

  • to perform actions exceeding their authorized access.

Affected Products

Vendor Name Product Name Affected Version
Bosch Rexroth AG
Nexo cordless nutrunner NXA011S-36V (0608842011)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA011S-36V-B (0608842012)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA015S-36V (0608842001)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA015S-36V-B (0608842006)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA030S-36V (0608842002)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA030S-36V-B (0608842007)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA050S-36V (0608842003)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA050S-36V-B (0608842008)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA065S-36V (0608842013)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXA065S-36V-B (0608842014)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXP012QD-36V (0608842005)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXP012QD-36V-B (0608842010)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXV012T-36V (0608842015)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo cordless nutrunner NXV012T-36V-B (0608842016)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo special cordless nutrunner (0608PE2272)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo special cordless nutrunner (0608PE2301)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo special cordless nutrunner (0608PE2514)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo special cordless nutrunner (0608PE2515)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo special cordless nutrunner (0608PE2666)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)
Bosch Rexroth AG
Nexo special cordless nutrunner (0608PE2673)
NEXO-OS V1000-Release - NEXO-OS V1500-SP2 (including)

Solution and Mitigations

Solution

An updated firmware version is available with fixes of CVE-2023-48243, CVE-2023-48245, CVE-2023-48246, CVE-2023-48247, CVE-2023-48250, CVE-2023-48251, CVE-2023-48252, CVE-2023-48253, CVE-2023-48259, CVE-2023-48260, CVE-2023-48261, CVE-2023-48262, CVE-2023-48263, CVE-2023-48264, CVE-2023-48265 and CVE-2023-48266.
The Nexo - Firmware V1.500 Service Pack 3 can be downloaded on the platform for sales support and partner communication myRexroth or contact your sales partner for instructions on how to retrieve the update. Users are strongly advised to upgrade to the new version.

Mitigation

Fixing CVE-2023-48257 would lead to incompatibility of files that have already been exported. Users shall ensure that the file storage is appropriately protected.

Compensatory measures

Risk mitigating measures are strongly advised. Please define such measures individually depending on your operational environment. In this context, it is strongly advised to operate affected Nexo cordless nutrunner(s) in protected network segments only.

Vulnerability Details

CVE-2023-48242

CVE description: The vulnerability allows an authenticated remote attacker to download arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.

CVE-2023-48243

CVE description: The vulnerability allows a remote attacker to upload arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request. By abusing this vulnerability, it is possible to obtain remote code execution (RCE) with root privileges on the device.

CVE-2023-48244

CVE description: The vulnerability allows a remote attacker to inject and execute arbitrary client-side script code inside a victim’s session via a crafted URL or HTTP request.

CVE-2023-48245

CVE description: The vulnerability allows an unauthenticated remote attacker to upload arbitrary files under the context of the application OS user (“root”) via a crafted HTTP request.

CVE-2023-48246

CVE description: The vulnerability allows a remote attacker to download arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.

CVE-2023-48247

CVE description: The vulnerability allows an unauthenticated remote attacker to read arbitrary files under the context of the application OS user (“root”) via a crafted HTTP request.

CVE-2023-48248

CVE description: The vulnerability allows an authenticated remote attacker to upload a malicious file to the SD card containing arbitrary client-side script code and obtain its execution inside a victim’s session via a crafted URL, HTTP request, or simply by waiting for the victim to view the poisoned file.

CVE-2023-48249

CVE description: The vulnerability allows an authenticated remote attacker to list arbitrary folders in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.

By abusing this vulnerability, it is possible to steal session cookies of other active users.

CVE-2023-48250

CVE description: The vulnerability allows a remote attacker to authenticate to the web application with high privileges through multiple hidden hard-coded accounts.

CVE-2023-48251

CVE description: The vulnerability allows a remote attacker to authenticate to the SSH service with root privileges through a hidden hard-coded account.

CVE-2023-48252

CVE description: The vulnerability allows an authenticated remote attacker to perform actions exceeding their authorized access via crafted HTTP requests.

CVE-2023-48253

CVE description: The vulnerability allows a remote authenticated attacker to read or update arbitrary content of the authentication database via a crafted HTTP request. By abusing this vulnerability it is possible to exfiltrate other users’ password hashes or update them with arbitrary values and access their accounts.

CVE-2023-48254

CVE description: The vulnerability allows a remote attacker to inject and execute arbitrary client-side script code inside a victim’s session via a crafted URL or HTTP request.

CVE-2023-48255

CVE description: The vulnerability allows an unauthenticated remote attacker to send malicious network requests containing arbitrary client-side script code and obtain its execution inside a victim’s session via a crafted URL, HTTP request, or simply by waiting for the victim to view the poisoned log.

CVE-2023-48256

CVE description: The vulnerability allows a remote attacker to inject arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim’s session via a crafted URL or HTTP request.

CVE-2023-48257

CVE description: The vulnerability allows a remote attacker to access sensitive data inside exported packages or obtain up to Remote Code Execution (RCE) with root privileges on the device. The vulnerability can be exploited directly by authenticated users, via crafted HTTP requests, or indirectly by unauthenticated users, by accessing already-exported backup packages, or crafting an import package and inducing an authenticated victim into sending the HTTP upload request.

CVE-2023-48258

CVE description: The vulnerability allows a remote attacker to delete arbitrary files on the file system via a crafted URL or HTTP request through a victim’s session.

CVE-2023-48259

CVE description: The vulnerability allows a remote unauthenticated attacker to read arbitrary content of the results database via a crafted HTTP request.

CVE-2023-48260

CVE description: The vulnerability allows a remote unauthenticated attacker to read arbitrary content of the results database via a crafted HTTP request.

CVE-2023-48261

CVE description: The vulnerability allows a remote unauthenticated attacker to read arbitrary content of the results database via a crafted HTTP request.

CVE-2023-48262

CVE description: The vulnerability allows an unauthenticated remote attacker to perform a Denial-of-Service (DoS) attack or, possibly, obtain Remote Code Execution (RCE) via a crafted network request.

CVE-2023-48263

CVE description: The vulnerability allows an unauthenticated remote attacker to perform a Denial-of-Service (DoS) attack or, possibly, obtain Remote Code Execution (RCE) via a crafted network request.

CVE-2023-48264

CVE description: The vulnerability allows an unauthenticated remote attacker to perform a Denial-of-Service (DoS) attack or, possibly, obtain Remote Code Execution (RCE) via a crafted network request.

CVE-2023-48265

CVE description: The vulnerability allows an unauthenticated remote attacker to perform a Denial-of-Service (DoS) attack or, possibly, obtain Remote Code Execution (RCE) via a crafted network request.

CVE-2023-48266

CVE description: The vulnerability allows an unauthenticated remote attacker to perform a Denial-of-Service (DoS) attack or, possibly, obtain Remote Code Execution (RCE) via a crafted network request.

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 29 Jan 2024: Update as patch is available
  • 08 Jan 2024: Initial Publication

Appendix

Acknowledgement

These vulnerabilities have been uncovered and disclosed responsibly by Andrea Palanca from Nozomi Networks. We thank him for making a responsible disclosure with us.