CVE-2023-35867: 
Bosch Configuration Manager vulnerability analysis and mitigation

An improper handling of a malformed API answer packets to API clients in Bosch BT software products was identified as CVE-2023-35867. The vulnerability was discovered and disclosed in December 2023, affecting multiple Bosch software products including BVMS, Configuration Manager, DIVAR IP series, and various other Bosch BT software solutions up to version 12.0. This vulnerability allows an unauthenticated attacker to cause a Denial of Service (DoS) situation (Bosch Advisory).

The vulnerability is classified under CWE-703 (Improper Check or Handling of Exceptional Conditions). It received a CVSS v3.1 Base Score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. To exploit this vulnerability, an attacker must replace an existing API server through methods such as Man-in-the-Middle attacks (Bosch Advisory).

When successfully exploited, the vulnerability can lead to a Denial of Service (DoS) situation, affecting the availability of the affected Bosch BT software products. The impact is primarily focused on service availability, with no direct effect on confidentiality or integrity of the systems (Bosch Advisory).

Bosch recommends updating affected software to fixed versions. If immediate updates are not possible, users should implement firewalling to disallow connections from insecure networks to the affected software and devices. This prevents attackers from accessing the vulnerable interface. A reboot or restart of the affected component is required after applying any patches (Bosch Advisory).