CVE-2021-23843

Lack of authentication mechanisms on the device

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\'s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet.

Las herramientas de software de Bosch AccessIPConfig.exe y AmcIpConfig.exe son usadas para configurar determinados ajustes en los dispositivos AMC2. La herramienta permite poner una contraseña de protección en los dispositivos configurados para restringir el acceso a la configuración de un AMC2. Un atacante puede burlar esta protección y realizar cambios no autorizados en los datos de configuración del dispositivo. Un atacante puede explotar esta vulnerabilidad para manipular la configuración del dispositivo o hacer que no responda en la red local. El atacante necesita tener acceso a la red local, normalmente incluso a la misma subred

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-12 CVE Reserved
2022-01-19 CVE Published
2023-08-12 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-306: Missing Authentication for Critical Function

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html	2022-01-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bosch Search vendor "Bosch"	Amc2 Firmware Search vendor "Bosch" for product "Amc2 Firmware"	-	-	Affected	in	Bosch Search vendor "Bosch"	Amc2 Search vendor "Bosch" for product "Amc2"	-	-	Safe
Bosch Search vendor "Bosch"		Access Management System Search vendor "Bosch" for product "Access Management System"				3.0 Search vendor "Bosch" for product "Access Management System" and version "3.0"		-		Affected
Bosch Search vendor "Bosch"		Access Professional Edition Search vendor "Bosch" for product "Access Professional Edition"				<= 3.8.0 Search vendor "Bosch" for product "Access Professional Edition" and version " <= 3.8.0"		-		Affected
Bosch Search vendor "Bosch"		Building Integration System Search vendor "Bosch" for product "Building Integration System"				< 4.9.1 Search vendor "Bosch" for product "Building Integration System" and version " < 4.9.1"		-		Affected