20 January 2022
KLCERT-20-038: Bosch AMC2. Missing authentication for critical function
An unauthenticated attacker with the ability to communicate with the affected device via a broadcast address can perform administrative operations on it.
Bosch AMC2, firmware versions distributed with:
- Bosch AMS, all versions <4.0
- Bosch APE, all versions <=3.8.x
- Bosch BIS, all versions <4.9.1
The recommended approach is to update the affected Bosch software to an improved version. The latest versions BIS 4.9.1 and AMS 4.0 are immune against the discovered vulnerabilities.
Please note that AMS, and BIS will update AMC2 controllers with a strengthened firmware automatically. Please refer to technical documentation in the software release for more details.
For AMS and BIS installations which cannot be updated to version 4.0 resp. 4.9.1 immediately, Bosch has prepared patches which will distribute a hardened firmware to the AMC2 door controllers. A patch is also available for APE 3.8.x installations.
Please notice that these patches disable certain functionalities of the AMC2 communication and may require a different way of interacting with AMC2 controllers. Please refer to the patches’ technical documentation for details.
Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.