Full Report
An unauthenticated attacker with the ability to communicate with the affected device via a broadcast address can perform administrative operations on it. It is possible to upload firmware and change the device's configuration.
Analysis Summary
# Vulnerability: Missing Authentication for Critical Function in Bosch AMC2
## CVE Details
- CVE ID: CVE-2021-23843
- CVSS Score: 0.0 (None - *Note: The provided CVSS score is 0.0 based on the severity string in the text, however, the vector details suggest a High impact: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which typically yields a high score. We report the calculated CVSS derived from the vector: 9.8 (Critical)*)
- CWE: CWE-306: Missing Authentication for Critical Function
## Affected Systems
- Products: Bosch AMC2 controllers, affected when running alongside:
- Bosch AMS (All versions <4.0)
- Bosch APE (All versions <=3.8.x)
- Bosch BIS (All versions <4.9.1)
- Versions: Specific vulnerable versions tied to the accompanying AMS, APE, and BIS software versions listed above.
- Configurations: Access required via broadcast address communication.
## Vulnerability Description
The vulnerability resides in missing authentication checks for critical functions on the affected device. An unauthenticated remote attacker who can communicate with the device via a broadcast address can bypass security controls and execute administrative operations, specifically allowing firmware uploads and configuration changes.
## Exploitation
- Status: Information suggests PoC/exploitation status is not explicitly detailed, assume Proof-of-Concept likely exists given the nature of the flaw.
- Complexity: Low (Attack Vector: Adjacent, Low Complexity, No User Interaction, No Privilege Required)
- Attack Vector: Adjacent Network (via broadcast address communication)
## Impact
- Confidentiality: High
- Integrity: High (Ability to upload firmware and change configuration)
- Availability: High (Ability to upload firmware and change configuration)
## Remediation
### Patches
- Update Bosch BIS to version **4.9.1** or later.
- Update Bosch AMS to version **4.0** or later.
- For systems that cannot immediately update AMS/BIS, Bosch has released **patches** that distribute hardened firmware specifically for AMC2 door controllers.
- A patch is also available for **APE 3.8.x** installations.
* *Note: Patches may disable certain functionalities of the AMC2 communication.*
### Workarounds
- Immediate update to fixed versions (preferred mitigation).
- Follow vendor documentation when applying patches, as functionality implications exist.
## Detection
- Detection methods are not explicitly listed.
- Indicators of Compromise would involve unauthorized firmware upload events or unexpected configuration changes detected via network monitoring or system logs targeting the AMC2 controller via broadcast traffic.
## References
- Vendor Advisory: hxxps://psirt.bosch.com/security-advisories/bosch-sa-940448-bt.html
- Kaspersky Advisory: hxxps://ics-cert.kaspersky.com/advisories/klcert-20-038/