With scores of 10 and 8.6, these vulnerabilities are easy to exploit, allowing unauthenticated attackers to quickly take over industrial control systems.

OTORIO’s Research Team has discovered four critical vulnerabilities in the WEB interfaces of two leading Bosch Rexroth control system series: IndraMotion and IndraLogic (WebAssistant and the legacy interface).

Although the vulnerabilities were not found within the operational protocols themselves, they were determined to be easy-to-exploit design flaws. This means that an unauthenticated attacker can quickly use these vulnerabilities to penetrate the control system. Bosch’s own advisory states that without much effort, an attacker can take over the control system and affect operations.

The vulnerabilities received high and critical scores of 8.6 and a “perfect” 10.0 -

• CVE-2021-23855 - 8.6 (High) - Unauthenticated Information disclosure
• CVE-2021-23856 - 10 (Critical) - Reflected XSS
• CVE-2021-23857 - 10 (Critical) - Login with hash (‘pass-the-hash’)
• CVE-2021-23858 - 8.6 (High) - Unauthenticated information disclosure

The criticality of the vulnerabilities is not exaggerated. They are extremely easy to find and exploit by an experienced attacker, even without prior knowledge of their existence. Moreover, a combination of two of the vulnerabilities - Unauthenticated information disclosure + Login with hash- basically gives administrator access to the critical system, enabling the attacker to make any impact s/he would like to the operational process.

Rexroth devices reside in many operating processes. IndraControl, for example, provides PLC functions and motion functions like control axes, electronic gears, cam tables, robot control, and hydraulics control to a variety of industries around the globe.

Mitigation                                                                                    

To date, the four vulnerabilities still lack formal fixes from Bosch. Hence, we expect them to be around for a while. In the meantime, our experts offer the following recommendations in order to reduce the risk and its potential impact:

• As with any OT equipment, the devices hosting the affected control systems should never be accessible from unprotected network segments or hosts. Furthermore, they should not be connected directly to the internet.
• To mitigate the above vulnerabilities, it is recommended that owners and operators restrict access to port TCP/80 and TCP/443 from untrusted sources, and consider blocking the services completely through segmentation where possible, i.e., no operational use via the Web interface.
• Only for CVE-2021-23856: Exploitation of XSS is done by sending a malicious link with the XSS script embedded in the URL. Make sure that you have turned on URL analysis within the various security systems in the network (Firewall, AV, Web protection agent etc.).

Unfortunately, OTORIO could not release a deeper mitigation strategy like implementing DPI rules (snort) to mitigate those risks without harming operations due to system design. We encourage companies to minimize network exposure to the affected products as much as possible.

Stay safe