Skip to main

ctrlX Multiple Vulnerabilities

BOSCH-SA-918106

Advisory Information

Summary

Multiple vulnerabilities in operating system libraries and the Linux kernel have been reported which in a worst case scenario could allow an attacker to compromise the system by provoking a crash or the execution of malicious code. The affected functions are not used directly by any Rexroth software component and therefore the risk of an attacker being able to exploit the vulnerability is considered as low. Nevertheless, it cannot be completely ruled out that the functions might be called indirectly. It is therefore strongly advised to follow the suggested solution and mitigations.

The following CVEs, which are not yet available in the NVD also affect the ctrlX CORE Runtime: CVE-2020-27815 , CVE-2020-27830

Affected Products

  • Rexroth IoT Gateway
    • CVE-2020-27815
    • CVE-2020-27830
    • CVE-2020-28374
    • CVE-2020-28941
    • CVE-2020-29568
    • CVE-2020-29569
    • CVE-2020-29660
    • CVE-2020-29661
    • CVE-2021-20232
    • CVE-2021-24031
    • CVE-2021-24032
    • CVE-2021-27218
    • CVE-2021-27219
    • CVE-2021-27803
  • ctrlX CORE Runtime < XCR-V-0108.1
    • CVE-2020-27815
    • CVE-2020-27830
    • CVE-2020-28374
    • CVE-2020-28941
    • CVE-2020-29568
    • CVE-2020-29569
    • CVE-2020-29660
    • CVE-2020-29661
  • ctrlX CORE Runtime <= XCR-V-0108.1
    • CVE-2021-20232
    • CVE-2021-24031
    • CVE-2021-24032
    • CVE-2021-27218
    • CVE-2021-27219
    • CVE-2021-27803

Solution and Mitigations

Software Update

For the ctrlX CORE, the Linux kernel vulnerabilities are addressed with XCR-V-0108. Please update your installation to this release if not already done. For the ctrlX CORE operating system libraries vulnerabilities, an updated release is scheduled for 05/2021. Please contact your sales partner for instructions on how to retrieve the updates. If your device is connected to the update servers or you manage the devices remotely, the updates can also be applied via the online channel. It is recommended that the updates are installed in a timely manner after their release, if possible.

Compensatory Measures

Compensatory measures are recommended which mitigate the risk are recommended until the update becomes available. Always define such compensatory measures individually, in the context of the operational environment. Some possible measures are described in the “Security Guideline Electric Drives and Controls”, for example the network segmentation (please see [1]). In general, it is highly recommended to implement the measures described in the “Security Guideline Electric Drives and Controls”.

Vulnerability Details

CVE-2020-27815

It was discovered that the jfs file system implementation in the Linux kernel contained an out-of-bounds read vulnerability. A local attacker could use this to possibly cause a denial of service (system crash).

Ubuntu has issued an update for kernel that fixes this and multiple vulnerabilities.

CVE description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

CVE-2020-27830

Vulnerability found in Linux Kernel, which can lead to a crash.

CVE description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

CVE-2020-28374

CVE description: In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.

CVE-2020-28941

CVE description: An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.

CVE-2020-29568

CVE description: An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.

CVE-2020-29569

CVE description: An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.

CVE-2020-29660

CVE description: A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.

CVE-2020-29661

CVE description: A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.

CVE-2021-20232

CVE description: A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.

CVE-2021-24031

CVE description: In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.

CVE-2021-24032

CVE description: Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

CVE-2021-27218

CVE description: An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.

CVE-2021-27219

CVE description: An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.

CVE-2021-27803

CVE description: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.

Remark

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 23 Apr 2021: Initial Publication