20 January 2022

KLCERT-20-038: Bosch AMC2. Missing authentication for critical function

Researcher

Alexander Nochvay, Senior Security Researcher, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    January 2022

  • Vendor advisory published

    January 2022

Description

An unauthenticated attacker with the ability to communicate with the affected device via a broadcast address can perform administrative operations on it.


Exploitability

Adjacent

Attack complexity

Low

Privilege required

None

User interaction

None

Confidentiality

High

Integrity

High

Availability

High

Impact

It is possible to upload firmware and change the device's configuration.

Affected products

Bosch AMC2, firmware versions distributed with:

  • Bosch AMS, all versions <4.0
  • Bosch APE, all versions <=3.8.x
  • Bosch BIS, all versions <4.9.1

Mitigation

The recommended approach is to update the affected Bosch software to an improved version. The latest versions BIS 4.9.1 and AMS 4.0 are immune against the discovered vulnerabilities.

Please note that AMS, and BIS will update AMC2 controllers with a strengthened firmware automatically. Please refer to technical documentation in the software release for more details.

For AMS and BIS installations which cannot be updated to version 4.0 resp. 4.9.1 immediately, Bosch has prepared patches which will distribute a hardened firmware to the AMC2 door controllers. A patch is also available for APE 3.8.x installations.

Please notice that these patches disable certain functionalities of the AMC2 communication and may require a different way of interacting with AMC2 controllers. Please refer to the patches’ technical documentation for details.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    January 2022

  • Vendor advisory published

    January 2022