With scores of 10 and 8.6, these vulnerabilities are easy to exploit, allowing unauthenticated attackers to quickly take over industrial control systems.
OTORIO’s Research Team has discovered four critical vulnerabilities in the WEB interfaces of two leading Bosch Rexroth control system series: IndraMotion and IndraLogic (WebAssistant and the legacy interface).
Although the vulnerabilities were not found within the operational protocols themselves, they were determined to be easy-to-exploit design flaws. This means that an unauthenticated attacker can quickly use these vulnerabilities to penetrate the control system. Bosch’s own advisory states that without much effort, an attacker can take over the control system and affect operations.
The vulnerabilities received high and critical scores of 8.6 and a “perfect” 10.0 -
The criticality of the vulnerabilities is not exaggerated. They are extremely easy to find and exploit by an experienced attacker, even without prior knowledge of their existence. Moreover, a combination of two of the vulnerabilities - Unauthenticated information disclosure + Login with hash- basically gives administrator access to the critical system, enabling the attacker to make any impact s/he would like to the operational process.
Rexroth devices reside in many operating processes. IndraControl, for example, provides PLC functions and motion functions like control axes, electronic gears, cam tables, robot control, and hydraulics control to a variety of industries around the globe.
To date, the four vulnerabilities still lack formal fixes from Bosch. Hence, we expect them to be around for a while. In the meantime, our experts offer the following recommendations in order to reduce the risk and its potential impact:
Unfortunately, OTORIO could not release a deeper mitigation strategy like implementing DPI rules (snort) to mitigate those risks without harming operations due to system design. We encourage companies to minimize network exposure to the affected products as much as possible.