CVE-2021-23842: 
Bosch Building Integration System (BIS) vulnerability analysis and mitigation

The Bosch AMC2 (Access Modular Controller) vulnerability (CVE-2021-23842) was disclosed on January 19, 2022. This vulnerability affects multiple Bosch products including Building Integration System (BIS), Access Management System (AMS), Access Professional Edition (APE), and Access Modular Controller (AMC2). The vulnerability involves the communication to the AMC2 using the Blowfish cryptographic algorithm for symmetric encryption (Bosch Advisory).

The vulnerability is classified as CWE-321 (Use of Hard-coded Cryptographic Key) with a CVSS v3.1 Base Score of 5.7 (Medium). The attack vector is Adjacent Network, requiring low complexity and no privileges, but user interaction is required. The vulnerability stems from the implementation of the Blowfish cryptographic algorithm where an attacker could retrieve the encryption key from the firmware (Bosch Advisory).

An attacker can exploit this vulnerability to decrypt and modify network traffic between the AMC2 and the host system, decrypt and investigate the device's firmware file, and alter the device configuration. The impact is primarily focused on confidentiality, with the ability to compromise sensitive communication data (Bosch Advisory).

Bosch recommends updating to BIS 4.9.1 and AMS 4.0, which are immune to this vulnerability. These updates implement DTLS communication and include strengthened firmware for AMC2 controllers. For systems that cannot be immediately updated, Bosch has prepared patches that distribute hardened firmware to the AMC2 door controllers. Additionally, it is recommended to follow general IT hardening guidelines and operate access control in a secured local area network (Bosch Advisory).