Bosch: Security Vulnerabilities
Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\'s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet.
CVSS Score
5.7
EPSS Score
0.0
Published
2022-01-19
The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\'s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet.
CVSS Score
8.8
EPSS Score
0.0
Published
2022-01-19
An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859
CVSS Score
9.1
EPSS Score
0.003
Published
2021-12-08
An error in a page handler of the VRM may lead to a reflected cross site scripting (XSS) in the web-based interface. To exploit this vulnerability an attack must be able to modify the HTTP header that is sent. This issue also affects installations of the DIVAR IP and BVMS with VRM installed.
CVSS Score
5.0
EPSS Score
0.003
Published
2021-12-08
By executing a special command, an user with administrative rights can get access to extended debug functionality on the VRM allowing an impact on integrity or availability of the installed software. This issue also affects installations of the DIVAR IP and BVMS with VRM installed.
CVSS Score
6.5
EPSS Score
0.003
Published
2021-12-08
A crafted configuration packet sent by an authenticated administrative user can be used to execute arbitrary commands in system context. This issue also affects installations of the VRM, DIVAR IP, BVMS with VRM installed, the VIDEOJET decoder (VJD-7513 and VJD-8000).
CVSS Score
7.2
EPSS Score
0.005
Published
2021-12-08
The user and password data base is exposed by an unprotected web server resource. Passwords are hashed with a weak hashing algorithm and therefore allow an attacker to determine the password by using rainbow tables.
CVSS Score
8.6
EPSS Score
0.002
Published
2021-10-04
The web server is vulnerable to reflected XSS and therefore an attacker might be able to execute scripts on a client’s computer by sending the client a manipulated URL.
CVSS Score
10.0
EPSS Score
0.003
Published
2021-10-04
Login with hash: The login routine allows the client to log in to the system not by using the password, but by using the hash of the password. Combined with CVE-2021-23858, this allows an attacker to subsequently login to the system.
CVSS Score
10.0
EPSS Score
0.004
Published
2021-10-04
Information disclosure: The main configuration, including users and their hashed passwords, is exposed by an unprotected web server resource and can be accessed without authentication. Additionally, device details are exposed which include the serial number and the firmware version by another unprotected web server resource.
CVSS Score
8.6
EPSS Score
0.002
Published
2021-10-04