CVE-2023-29241: 
Bosch Building Integration System (BIS) vulnerability analysis and mitigation

The vulnerability (CVE-2023-29241) was identified in the Bosch Building Integration System (BIS) version 5.0. The issue stems from improper information in the Cybersecurity Guidebook, specifically regarding permission settings for network share, which could lead to incorrect configuration allowing local users unauthorized access to data via network. The vulnerability was disclosed on June 28, 2023 (Bosch Advisory).

The vulnerability is classified as 'Incomplete Documentation of Program Execution' (CWE-1112). The CVSS v3.1 Base Score is 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The issue specifically relates to Section 4.5 of the Cybersecurity Guidebook, where one of the recommended access permissions was wrongly stated as 'Network' group instead of 'Network Service' group (Bosch Advisory).

The incorrect documentation could lead to unintentionally granting access permissions to potentially unauthorized users. This misconfiguration could allow local users to access data through the network, potentially compromising the security of BIS installations (Bosch Advisory).

For BIS 5.0, users should apply patch BIS_5_0_21100_0_Patch1.zip and follow the instructions in the patch's Readme file. The patch installs an updated Cybersecurity Guidebook in the 'Platform' folder. For previous BIS versions, it is recommended to restrict access to the 'MgtS' shared folder and provide full access only to specific users and groups including MgtS-Service user, IIS-USR user, System group, Network Service group, Administrators group, and BIS Users group. The 'Network' group should be removed from access groups, and access for the 'Everyone' group should be removed (Bosch Advisory).