20 January 2022
KLCERT-20-037: Bosch AMC2. Information Disclosure due to Hard-coded Cryptographic Key
Vendor
-
CVE
-
KLCERT
KLCERT-20-037
Timeline
Timeline
-
Kaspersky ICS CERT advisory published
20 January 2022
-
Vendor advisory published
January 2022
Description
An attacker can capture and decrypt the communication between the configuration software and the affected devices, since a symmetric encryption algorithm with a fixed key is used to encrypt the communication.
CVSS v3
Exploitability
Adjacent
Attack complexity
Privilege required
User interaction
Confidentiality
Impact
Affected products
Bosch AMC2, firmware versions distributed with:
- Bosch AMS, all versions <4.0
- Bosch APE, all versions <=3.8.x
- Bosch BIS, all versions <4.9.1
Mitigation
The recommended approach is to update the affected Bosch software to an improved version. The latest versions BIS 4.9.1 and AMS 4.0 are immune against the discovered vulnerabilities.
Please note that AMS, and BIS will update AMC2 controllers with a strengthened firmware automatically. Please refer to technical documentation in the software release for more details.
For AMS and BIS installations which cannot be updated to version 4.0 resp. 4.9.1 immediately, Bosch has prepared patches which will distribute a hardened firmware to the AMC2 door controllers. A patch is also available for APE 3.8.x installations.
Please notice that these patches disable certain functionalities of the AMC2 communication and may require a different way of interacting with AMC2 controllers. Please refer to the patches’ technical documentation for details.
Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
Timeline
-
Kaspersky ICS CERT advisory published
20 January 2022
-
Vendor advisory published
January 2022