CVE-2023-32228: 
Bosch Building Integration System (BIS) vulnerability analysis and mitigation

CVE-2023-32228 is a firmware vulnerability affecting Bosch Access Control products AMC2-4WCF and AMC2-2WCF. The vulnerability was discovered and disclosed on May 24, 2023, affecting Bosch AMS versions <= 5.0 and Bosch BIS versions <= 4.9.2. This vulnerability specifically impacts products using the Wiegand interface, not devices with OSDP / RS485 interface (Bosch Advisory).

The vulnerability is classified as a CWE-115 Misinterpretation of Input issue with a CVSS v3.1 Base Score of 4.6 (Medium). The CVSS Vector String is CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating physical access is required for exploitation, but no privileges or user interaction are needed (Bosch Advisory).

The firmware bug can lead to misinterpretation of access card data sent from a Wiegand reader, potentially resulting in unauthorized physical access. Specifically, the vulnerability could allow an adversary to gain access using credentials from the last authorized user (Bosch Advisory).

Bosch has released software updates to address this vulnerability. For BIS systems, users should update to version BIS 5.0 (build id BIS_5.0.21100.0). For AMS systems, users need to update to AMS 5.0.1 (build id AMS_5.1.7.0) and apply the specific patch 'LCMV3772_v02.39.01_Wiegand.zip'. The firmware updates are automatically rolled out to attached AMC2 reader controllers after system updates. No alternative mitigating factors have been identified (Bosch Advisory).