Update in Cybersecurity Guidebook of BIS on Permission Settings for Network Share

BOSCH-SA-988400-BT

Advisory Information

Advisory ID: BOSCH-SA-988400-BT
CVE Numbers and CVSS v3.1 Scores:
- CVE-2023-29241
  - Base Score: 8.1 (High)
Published: 28 Jun 2023
Last Updated: 28 Jun 2023

Summary

In a recent survey of BIS installations worldwide Bosch identified that for some installations the security settings may not meet our recommended security standards. For this reason, we have updated our "Cybersecurity Guidebook".

Section 4.5 of the Cybersecurity Guidebook describes how to configure access permissions for a shared folder of the BIS installation. In an older version of the Cybersecurity Guidebook, one of the recommended access permissions is wrongly stated as "Network" group instead of "Network Service" group. This information is updated in the new version of the documentation, because executing the earlier instructions may unintentionally grant access permission to potentially unauthorized users.

This is not a software bug, just an update of the documentation targeted at installers. This document is included in BIS installation folder since version BIS 5.0. Previous BIS version do not contain the document, but validating the security setting is generally advised.

Affected Products

Bosch BIS
- CVE-2023-29241
  - Version(s): 5.0

Solution and Mitigations

Software Updates

For BIS 5.0 please apply patch BIS_5_0_21100_0_Patch1.zip. Follow the instructions in the Readme of the patch. The patch will install an updated Cybersecurity Guidebook in folder "Platform" under the installation folder. Then follow the configuration steps in section 4.5 as described.

For any previous BIS version we recommend to double-check the security settings. Please follow the mitigation section below.

Mitigation

Installation of BIS automatically creates the "MgtS" shared folder, which is accessible to the "Everyone" group. It is recommended to restrict the access and provide the following users and groups with full access to the "\MgtS" shared folder:

MgtS-Service user
IIS-USR user
System group
Network Service group
Administrators group
BIS Users group (add all users of BIS to the group)

Double-check that the "Network" group is not part of the access groups. Following that, proceed to remove the access for "Everyone" group.

Vulnerability Details

CVE-2023-29241

CVE description: Improper Information in Cybersecurity Guidebook in Bosch Building Integration System (BIS) 5.0 may lead to wrong configuration which allows local users to access data via network

Problem Type:
- CWE-1112 Incomplete Documentation of Program Execution
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Base Score: 8.1 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] BIS Download Area: https://downloadstore.boschsecurity.com/?type=BIS
[2] CVE-2023-29241: https://nvd.nist.gov/vuln/detail/CVE-CVE-2023-29241

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

28 Jun 2023: Initial Publication

Appendix

Fixes for the Affected Products

Building Integration System (BIS)

Affected BIS versions	Version or patch that fixes the vulnerability
5.0	Apply patch BIS_5_0_21100_0_Patch1.zip, then follow section 4.5 in the Cybersecurity Guidebook

Affected material

Building Integration System (BIS)

Family Name	CTN	SAP#	Material Description
BIS-BGEN-B50	F.01U.415.267	BIS 5.0	Basic license
BIS-BGEN-CESB50	F.01U.415.269	BIS 5.0	Central enterprise server (bundle)
BIS-BGEN-BAS50	F.01U.415.268	BIS 5.0	Basic license without alarm documents
BIS-BGEN-LSSB50	F.01U.415.270	BIS 5.0	Local site server (bundle)
BIS-BGEN-CSSB50	F.01U.415.271	BIS 5.0	Central single server (bundle)
BIS-BASE-PLUS50	F.01U.415.272	BIS 5.0	Plus license (bundle)