Hackers Can Install Ransomware on Network-Connected Devices

A popular line of network-connected wrenches used by manufacturers all over the world to assemble delicate instruments and equipment has nearly two dozen vulnerabilities that researchers have found that might allow hackers to destroy or disable the device.

Researchers have discovered the flaws in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B on Tuesday. The cordless tool enables engineers to precisely torque bolts and other mechanical fastenings to levels that are essential for safety and dependability. It links wirelessly to the local network of companies that employ it.

Fastenings run the risk of overheating and igniting fires when they are excessively loose. Overly tight threads may break and provide too-loose torques. In 1999, the car industry adopted the torque-level indicator display offered by Nutrunner, certified by the Association of German Engineers. A browser-based administration interface can be used to control the NEXO-OS on devices.

According to some researchers, there are a total of twenty-three vulnerabilities on the gadget that might potentially be used to install malware. Then, although the display keeps showing that the crucial parameters are still correctly set, the infection might be used to disable entire fleets of the devices or have them tighten fastenings excessively loosely, or tightly.

In an email, Bosch officials stated that security is their main focus, among other things. It continued by saying that researchers had contacted them a few weeks before disclosing the flaws. "Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem," added the statement. "This patch will be released at the end of January 2024."

According to some researchers:

The Bosch Rexroth NXA015S-36V-B has vulnerabilities that make it possible for an unauthorized attacker to remotely execute arbitrary code (RCE) with root privileges and fully compromise the device by sending network packets to the target. Many different attack scenarios can occur after this illegal access is obtained. We were able to properly recreate the following two instances in our lab setting:

  1. Ransomware: By blocking a local operator from operating the drill through the onboard display and deactivating the trigger button, we were able to render the gadget utterly unusable. Moreover, we may modify the graphical user interface (GUI) to show any message on the screen that demands a ransom be paid. Because this assault can be easily automated across multiple devices, an attacker might quickly disable every tool on a production line, which could seriously disrupt the final asset owner.

  1. Manipulation of Control & View: We could subtly change the tightening programs' configuration, for example, by changing the target torque value. We could show the operator a normal value while patching the GUI on the onboard display in memory, keeping them entirely oblivious to the change.

In all, researchers revealed nearly 23 weaknesses, with severity ratings between 5.5 to 8.8. They are as follows:

CVE ID

CWE

CVSS V3.1 BASE SCORE

CVSS V3.1 VECTOR

CVE-2023-48252

Improper Authorization (CWE-285)

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48253

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48243

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE-2023-48250

Use of Hard-coded Credentials (CWE-798)

8.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48251

Use of Hard-coded Credentials (CWE-798)

8.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48262

Stack-based Buffer Overflow (CWE-121)

8.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48263

Heap-based Buffer Overflow (CWE-122)

8.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48264

Stack-based Buffer Overflow (CWE-121)

8.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48265

Stack-based Buffer Overflow (CWE-121)

8.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48266

Stack-based Buffer Overflow (CWE-121)

8.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48257

Use of Weak Credentials (CWE-1391)

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2023-48242

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2023-48245

Missing Authorization (CWE-862)

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVE-2023-48246

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2023-48249

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2023-48255

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

6.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVE-2023-48248

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

5.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVE-2023-48258

Cross-Site Request Forgery (CSRF) (CWE-352)

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2023-48244

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

5.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVE-2023-48247

Missing Authorization (CWE-862)

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2023-48254

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

5.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVE-2023-48256

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') (CWE-113)

5.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVE-2023-48259

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2023-48260

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2023-48261

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

To take advantage of the majority of the vulnerabilities, an attacker would need to first obtain access to the web-based device administration interface. According to Nozomi, an attacker might set up an attack chain that uses a traversal vulnerability. It allows malicious code to be uploaded to a vulnerable directory and then executed.

Even with the lowest possible rights. When combined with other vulnerabilities, such as a hardcoded account, the traversal weakness may allow unauthenticated attackers to compromise devices. This is a diagram of the attack chain:

If the network flow incorporates the device's communication protocols, like the OpenProtocol, attackers can remotely execute malicious code by taking advantage of one of numerous buffer overflow vulnerabilities.

It is improbable that the weaknesses will ever be widely exploited. If a ransomware attacker gains access to a network, they probably have better tools at their disposal to increase their privileges and bring down or disrupt operations. If there are no more similar vulnerabilities. However, bulk wrench disabling would probably be sufficient.

In addition, hackers supported by governments or hacktivists driven by activism for a certain cause may use their weaknesses to disrupt or undermine an enemy's operations. Regardless of the possibility, all users should install updates as soon as they become available due to the risk of work stoppages or the potential to change essential settings.