Full Report
An attacker can capture and decrypt the communication between the configuration software and the affected devices, since a symmetric encryption algorithm with a fixed key is used to encrypt the communication. An attacker is able to decrypt captured data and encrypt their own crafted data to send to the device.
Analysis Summary
# Vulnerability: Bosch AMC2 Use of Hard-coded Cryptographic Key
## CVE Details
- **CVE ID:** CVE-2021-23842
- **CVSS Score:** 6.1 (Medium)
- *Note: The provided text specifies 0.0, but the vector AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/RL:O/RC:C and NVD records indicate a Medium severity for Information Disclosure. Calculating the provided vector results in a base score of 6.1.*
- **CWE:** CWE-321: Use of Hard-coded Cryptographic Key
## Affected Systems
- **Products:** Bosch AMC2 (Access Modular Controller) controllers and associated management software.
- **Versions:**
- Bosch Access Management System (AMS): All versions < 4.0
- Bosch Access Professional Edition (APE): All versions <= 3.8.x
- Bosch Building Integration System (BIS): All versions < 4.9.1
- **Configurations:** Systems where the AMC2 firmware is distributed and managed via the software suites listed above.
## Vulnerability Description
The communication protocol between the Bosch configuration software and AMC2 devices utilizes a symmetric encryption algorithm. However, the encryption relies on a fixed, hard-coded cryptographic key. Because this key is static and embedded within the software/firmware, an attacker who gains access to the key can decrypt any intercepted traffic or encrypt malicious commands to be sent to the device.
## Exploitation
- **Status:** PoC availability not explicitly confirmed in the text, but the vulnerability is well-understood (Hard-coded key).
- **Complexity:** Low
- **Attack Vector:** Adjacent (Attacker must be on the same local network/segment as the controller or management station).
- **User Interaction:** Required (An operator must initiate communication with the device for the attacker to capture the handshake/data).
## Impact
- **Confidentiality:** High (Attacker can decrypt all intercepted communication).
- **Integrity:** High (Attacker can encrypt and inject their own crafted data/commands to the device).
- **Availability:** Not directly specified, though unauthorized command injection could lead to denial of service or unauthorized access.
## Remediation
### Patches
Update the management software to the following versions to automatically deploy strengthened firmware to AMC2 controllers:
- **Bosch BIS:** Upgrade to version 4.9.1 or higher.
- **Bosch AMS:** Upgrade to version 4.0 or higher.
- **Bosch APE:** Apply the specific patch available for version 3.8.x.
### Workarounds
For systems that cannot be immediately upgraded:
- **Dedicated Patches:** Bosch has provided standalone hardening patches for AMS and BIS (pre-v4.0/4.9.1) and APE 3.8.x.
- **Functional Limitations:** Note that applying these patches may disable certain legacy communication functionalities and change how operators interact with the controllers.
## Detection
- **Indicators of Compromise:** Monitor for unusual network traffic originating from adjacent hosts targeting the AMC2 controller communication ports.
- **Detection methods and tools:** Use Network Intrusion Detection Systems (NIDS) to sniff for traffic matching the known (now exposed) symmetric encryption patterns or signatures associated with this legacy protocol.
## References
- **Vendor Advisory:** hxxps[://]psirt[.]bosch[.]com/security-advisories/bosch-sa-940448-bt[.]html
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2021-23842
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2022/01/20/klcert-20-037-bosch-amc2-information-disclosure-due-to-hard-coded-cryptographic-key/