CVE-2021-23843: 
Bosch Building Integration System (BIS) vulnerability analysis and mitigation

The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe, used for configuring AMC2 devices, contained a critical security vulnerability identified as CVE-2021-23843. This vulnerability was discovered and disclosed on January 19, 2022. The affected products include Bosch Building Integration System (BIS), Access Management System (AMS), Access Professional Edition (APE), and Access Modular Controller (AMC2) (Bosch Advisory).

The vulnerability is classified as a Missing Authentication for Critical Function (CWE-306). The software tools allow password protection on configured devices to restrict access to the configuration of an AMC2. However, an attacker can bypass this protection mechanism. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (High) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Bosch Advisory).

An attacker can exploit this vulnerability to manipulate the device's configuration or render it unresponsive in the local network. The vulnerability allows unauthorized changes to configuration data on the device, potentially affecting access control systems' security and functionality (Bosch Advisory).

Bosch has released software updates to address this vulnerability. The recommended approach is to update to BIS 4.9.1 or AMS 4.0, which are immune to the vulnerability. For APE installations, a specific patch is available to address CVE-2021-23843. For systems that cannot be immediately updated, Bosch has prepared patches that distribute hardened firmware to the AMC2 door controllers. Additionally, it is recommended to follow general IT hardening guidelines and operate access control in a secured local area network (Bosch Advisory).