Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45851: Multiple vulnerabilities on ctrlX HMI Web Panel - WR21

The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication.

This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device

CVE
#vulnerability#web#ios#android#google#hard_coded_credentials#auth#chrome

Advisory Information

  • Advisory ID: BOSCH-SA-175607
  • CVE Numbers and CVSS v3.1 Scores:
    • CVE-2023-41255
      • Base Score: 8.8 (High)
    • CVE-2023-41372
      • Base Score: 7.8 (High)
    • CVE-2023-41960
      • Base Score: 7.1 (High)
    • CVE-2023-43488
      • Base Score: 7.9 (High)
    • CVE-2023-45220
      • Base Score: 8.8 (High)
    • CVE-2023-45321
      • Base Score: 8.3 (High)
    • CVE-2023-45844
      • Base Score: 7.3 (High)
    • CVE-2023-45851
      • Base Score: 8.8 (High)
    • CVE-2023-46102
      • Base Score: 8.8 (High)
  • Published: 20 Oct 2023
  • Last Updated: 25 Oct 2023

Summary

The operating system of the ctrlX WR21 HMI has several vulnerabilities when the Kiosk mode is used in conjunction with Google Chrome. In worst case, an attacker with physical access to the device might gain full root access without prior authentication by combining the exploitation of those vulnerabilities.

Furthermore, the “Android Agent” application which is shipped with the ctrlX WR21 HMI contains multiple flaws, which in a worst case scenario might allow an attacker to execute arbitrary commands on the device.

Affected Products

Vendor Name

Product Name

Affected versions

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2107)

all

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2110)

all

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2115)

all

Solution and Mitigations****Solution

An updated firmware version will be published soon. This version prevents that an attacker with physical access to the device might gain root access.

Furthermore, the application “Android Agent” will be removed entirely.

This advisory will be updated as soon as the new version becomes available. Users are strongly advised to upgrade to the new version.

Mitigation

Until the updated version becomes available, users are strongly advised not to use Google Chrome for the Kiosk mode. As an alternative, the WebStation app may be used for this purpose.

Android Agent should not be used at all.

Vulnerability Details****CVE-2023-41255

CVE description: The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication of the ‘su’ binary file installed on the device that can be accessed through the ADB (Android Debug Bridge) protocol exposed on the network.

  • Problem Type:
    • CWE-306 Missing Authentication for Critical Function
  • CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Base Score: 8.8 (High)

CVE-2023-41372

CVE description: The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - controlled malicious server.This is possible by forging a valid broadcast intent encrypted with a hardcoded RSA key pair

  • Problem Type:
    • CWE-798 Use of Hard-coded Credentials
  • CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    • Base Score: 7.8 (High)

CVE-2023-41960

CVE description: The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive settings of the Android Client application itself.

  • Problem Type:
    • CWE-926 Improper Export of Android Application Components
  • CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
    • Base Score: 7.1 (High)

CVE-2023-43488

CVE description: The vulnerability allows a low privileged (untrusted) application to modify a critical system property that should be denied, in order to enable the ADB (Android Debug Bridge) protocol to be exposed on the network, exploiting it to gain a privileged shell on the device without requiring the physical access through USB.

  • Problem Type:
    • CWE-862 Missing Authorization
  • CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
    • Base Score: 7.9 (High)

CVE-2023-45220

CVE description: The Android Client application, when enrolled with the define method 1(the user manually inserts the server IP address), use HTTP protocol to retrieve sensitive information (IP address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.

  • Problem Type:
    • CWE-306 Missing Authentication for Critical Function
  • CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Base Score: 8.8 (High)

CVE-2023-45321

CVE description: The Android Client application, when enrolled with the define method 1 (the user manually inserts the server IP address), use HTTP protocol to retrieve sensitive information (IP address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user. Due to the lack of encryption of HTTP,this issue allows an attacker placed in the same subnet network of the HMI device to intercept username and password necessary to authenticate to the MQTT server responsible to implement the remote management protocol.

  • Problem Type:
    • CWE-319 Cleartext Transmission of Sensitive Information
  • CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    • Base Score: 8.3 (High)

CVE-2023-45844

CVE description: The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an arbitrary Android application and leverage it to have access to critical device settings such as the device power management or eventually the device secure settings (ADB debug).

  • Problem Type:
    • CWE-284 Improper Access Control
  • CVSS Vector String: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
    • Base Score: 7.3 (High)

CVE-2023-45851

CVE description: The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication.

This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device

  • Problem Type:
    • CWE-306 Missing Authentication for Critical Function
  • CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Base Score: 8.8 (High)

CVE-2023-46102

CVE description: The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of MQTT to implement the remote management of the device is encrypted with a hard-coded DES symmetric key, that can be retrieved reversing both the Android Client application and the server-side web application.

This issue allows an attacker able to control a malicious MQTT broker on the same subnet network of the device, to craft malicious messages and send them to the HMI device, executing arbitrary commands on the device itself.

  • Problem Type:
    • CWE-798 Use of Hard-coded Credentials
  • CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Base Score: 8.8 (High)

Remarks****Acknowledgement

These vulnerabilities have been uncovered and disclosed responsibly by Diego Giubertoni from Nozomi Networks. We thank him for making a responsible disclosure with us.

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.0 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

  • [1] Bosch Rexroth Advisory: https://www.boschrexroth.com/en/dc/product-security/security-advisories/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: [email protected] .

Revision History

  • 25 Oct 2023: Added CVE list
  • 20 Oct 2023: Initial Publication

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907