Skip to main

Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series

BOSCH-SA-741752

Advisory Information

Summary

The control systems series Rexroth IndraMotion MLC and IndraLogic XLC are affected by multiple vulnerabilities in the web server, which – in combination – ultimately enable an attacker to log in to the system.

  • Information disclosure: The main configuration, including users and their hashed passwords, is exposed by an unprotected web server resource and can be accessed without authentication. Additionally, device details are exposed which include the serial number and the firmware version by another unprotected web server resource.

  • Login with hash: The login routine allows the client to log in to the system not by using the password, but by using the hash of the password. Combined with the aforementioned vulnerability, this allows an attacker to subsequently login to the system

The control systems Rexroth IndraMotion MLC are affected by multiple further vulnerabilities in the web server.

  • Information disclosure: The user and password data base is exposed by an unprotected web server resource. Passwords are hashed with a weak hashing algorithm and therefore allow an attacker to determine the password by using rainbow tables

  • Reflected Cross-Site-Scripting: The web server is vulnerable to reflected XSS and therefore an attacker might be able to execute scripts on a client’s computer by sending the client a manipulated URL.

These vulnerabilities were discovered and reported by Matan Dobrushin and Eran Jacob from OTORIO Research

Affected Products

  • Rexroth IndraMotion MLC IndraMotion XLC
    • CVE-2021-23855
  • Rexroth IndraMotion MLC L20, L40
    • CVE-2021-23856
  • Rexroth IndraMotion MLC L20, L40 >= 12 VRS
    • CVE-2021-23857
    • CVE-2021-23858
  • Rexroth IndraMotion MLC L25, L45, L65, L75, L85, XM21, XM22, XM41 and XM42 IndraControl XLC >= 12 VRS
    • CVE-2021-23858
  • Rexroth IndraMotion MLC L25, L45, L65, L75, L85, XM21, XM22, XM41 and XM42 IndraMotion XLC >= 12 VRS
    • CVE-2021-23857

Solution and Mitigations

Use of a security gateway

Use of a security gateway, e.g. the ctrlX CORE, for the protection of the affected products or replace the affected products. The IndraMotion and IndraLogic series are not intended to be used in open networks and therefore requires protection by external devices.

Compensatory Measures

In general, compensatory measures are strongly advised which mitigate the risk. Always define such compensatory measures individually, in the context of the operational environment. Some measures are described in the “Security Guideline Electric Drives and Controls”, for example the network segmentation (please see [1]). In general, it is mandatory to implement the measures described in the “Security Guideline Electric Drives and Controls”.

Vulnerability Details

CVE-2021-23855

CVE description: The user and password data base is exposed by an unprotected web server resource. Passwords are hashed with a weak hashing algorithm and therefore allow an attacker to determine the password by using rainbow tables.

CVE-2021-23856

CVE description: The web server is vulnerable to reflected XSS and therefore an attacker might be able to execute scripts on a client’s computer by sending the client a manipulated URL.

CVE-2021-23857

CVE description: Login with hash: The login routine allows the client to log in to the system not by using the password, but by using the hash of the password. Combined with CVE-2021-23858, this allows an attacker to subsequently login to the system.

CVE-2021-23858

CVE description: Information disclosure: The main configuration, including users and their hashed passwords, is exposed by an unprotected web server resource and can be accessed without authentication. Additionally, device details are exposed which include the serial number and the firmware version by another unprotected web server resource.

Remark

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 04 Oct 2021: Initial Publication