Update in Cybersecurity Guidebook of BIS on Permission Settings for Network Share
BOSCH-SA-988400-BT
Advisory Information
- Advisory ID: BOSCH-SA-988400-BT
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2023-29241
- Base Score: 8.1 (High)
- CVE-2023-29241
- Published: 28 Jun 2023
- Last Updated: 28 Jun 2023
Summary
In a recent survey of BIS installations worldwide Bosch identified that for some installations the security settings may not meet our recommended security standards. For this reason, we have updated our "Cybersecurity Guidebook".
Section 4.5 of the Cybersecurity Guidebook describes how to configure access permissions for a shared folder of the BIS installation. In an older version of the Cybersecurity Guidebook, one of the recommended access permissions is wrongly stated as "Network" group instead of "Network Service" group. This information is updated in the new version of the documentation, because executing the earlier instructions may unintentionally grant access permission to potentially unauthorized users.
This is not a software bug, just an update of the documentation targeted at installers. This document is included in BIS installation folder since version BIS 5.0. Previous BIS version do not contain the document, but validating the security setting is generally advised.
Affected Products
- Bosch BIS
- CVE-2023-29241
- Version(s): 5.0
- CVE-2023-29241
Solution and Mitigations
Software Updates
For BIS 5.0 please apply patch BIS_5_0_21100_0_Patch1.zip. Follow the instructions in the Readme of the patch. The patch will install an updated Cybersecurity Guidebook in folder "Platform" under the installation folder. Then follow the configuration steps in section 4.5 as described.
For any previous BIS version we recommend to double-check the security settings. Please follow the mitigation section below.
Mitigation
Installation of BIS automatically creates the "MgtS" shared folder, which is accessible to the "Everyone" group. It is recommended to restrict the access and provide the following users and groups with full access to the "\MgtS" shared folder:
-
MgtS-Service user
-
IIS-USR user
-
System group
-
Network Service group
-
Administrators group
-
BIS Users group (add all users of BIS to the group)
Double-check that the "Network" group is not part of the access groups. Following that, proceed to remove the access for "Everyone" group.
Vulnerability Details
CVE-2023-29241
CVE description: Improper Information in Cybersecurity Guidebook in Bosch Building Integration System (BIS) 5.0 may lead to wrong configuration which allows local users to access data via network
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Base Score: 8.1 (High)
Remarks
Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] BIS Download Area: https://downloadstore.boschsecurity.com/?type=BIS
- [2] CVE-2023-29241: https://nvd.nist.gov/vuln/detail/CVE-CVE-2023-29241
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 28 Jun 2023: Initial Publication
Appendix
Fixes for the Affected Products
Building Integration System (BIS)
Affected BIS versions | Version or patch that fixes the vulnerability |
---|---|
5.0
|
Apply patch BIS_5_0_21100_0_Patch1.zip,
then follow section 4.5 in the Cybersecurity Guidebook |
Affected material
Building Integration System (BIS)
Family Name | CTN | SAP# | Material Description |
---|---|---|---|
BIS-BGEN-B50
|
F.01U.415.267
|
BIS 5.0
|
Basic license
|
BIS-BGEN-CESB50
|
F.01U.415.269
|
BIS 5.0
|
Central enterprise server (bundle)
|
BIS-BGEN-BAS50
|
F.01U.415.268
|
BIS 5.0
|
Basic license without alarm documents
|
BIS-BGEN-LSSB50
|
F.01U.415.270
|
BIS 5.0
|
Local site server (bundle)
|
BIS-BGEN-CSSB50
|
F.01U.415.271
|
BIS 5.0
|
Central single server (bundle)
|
BIS-BASE-PLUS50
|
F.01U.415.272
|
BIS 5.0
|
Plus license (bundle)
|