A popular line of network-connected wrenches used by manufacturers all over the world to assemble delicate instruments and equipment has nearly two dozen vulnerabilities that researchers have found that might allow hackers to destroy or disable the device.
Researchers have discovered the flaws in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B on Tuesday. The cordless tool enables engineers to precisely torque bolts and other mechanical fastenings to levels that are essential for safety and dependability. It links wirelessly to the local network of companies that employ it.
Fastenings run the risk of overheating and igniting fires when they are excessively loose. Overly tight threads may break and provide too-loose torques. In 1999, the car industry adopted the torque-level indicator display offered by Nutrunner, certified by the Association of German Engineers. A browser-based administration interface can be used to control the NEXO-OS on devices.
According to some researchers, there are a total of twenty-three vulnerabilities on the gadget that might potentially be used to install malware. Then, although the display keeps showing that the crucial parameters are still correctly set, the infection might be used to disable entire fleets of the devices or have them tighten fastenings excessively loosely, or tightly.
In an email, Bosch officials stated that security is their main focus, among other things. It continued by saying that researchers had contacted them a few weeks before disclosing the flaws. "Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem," added the statement. "This patch will be released at the end of January 2024."
According to some researchers:
The Bosch Rexroth NXA015S-36V-B has vulnerabilities that make it possible for an unauthorized attacker to remotely execute arbitrary code (RCE) with root privileges and fully compromise the device by sending network packets to the target. Many different attack scenarios can occur after this illegal access is obtained. We were able to properly recreate the following two instances in our lab setting:
|
In all, researchers revealed nearly 23 weaknesses, with severity ratings between 5.5 to 8.8. They are as follows:
CVE ID |
CWE |
CVSS V3.1 BASE SCORE |
CVSS V3.1 VECTOR |
CVE-2023-48252 |
Improper Authorization (CWE-285) |
8.8 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48253 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
8.8 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48243 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
8.8 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
CVE-2023-48250 |
Use of Hard-coded Credentials (CWE-798) |
8.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48251 |
Use of Hard-coded Credentials (CWE-798) |
8.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48262 |
Stack-based Buffer Overflow (CWE-121) |
8.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48263 |
Heap-based Buffer Overflow (CWE-122) |
8.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48264 |
Stack-based Buffer Overflow (CWE-121) |
8.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48265 |
Stack-based Buffer Overflow (CWE-121) |
8.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48266 |
Stack-based Buffer Overflow (CWE-121) |
8.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-48257 |
Use of Weak Credentials (CWE-1391) |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-48242 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
6.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-48245 |
Missing Authorization (CWE-862) |
6.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
CVE-2023-48246 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
6.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-48249 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
6.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-48255 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) |
6.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
CVE-2023-48248 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) |
5.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
CVE-2023-48258 |
Cross-Site Request Forgery (CSRF) (CWE-352) |
5.5 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
CVE-2023-48244 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) |
5.3 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
CVE-2023-48247 |
Missing Authorization (CWE-862) |
5.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2023-48254 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) |
5.3 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
CVE-2023-48256 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') (CWE-113) |
5.3 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
CVE-2023-48259 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
5.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2023-48260 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
5.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2023-48261 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
5.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
To take advantage of the majority of the vulnerabilities, an attacker would need to first obtain access to the web-based device administration interface. According to Nozomi, an attacker might set up an attack chain that uses a traversal vulnerability. It allows malicious code to be uploaded to a vulnerable directory and then executed.
Even with the lowest possible rights. When combined with other vulnerabilities, such as a hardcoded account, the traversal weakness may allow unauthenticated attackers to compromise devices. This is a diagram of the attack chain:
If the network flow incorporates the device's communication protocols, like the OpenProtocol, attackers can remotely execute malicious code by taking advantage of one of numerous buffer overflow vulnerabilities.
It is improbable that the weaknesses will ever be widely exploited. If a ransomware attacker gains access to a network, they probably have better tools at their disposal to increase their privileges and bring down or disrupt operations. If there are no more similar vulnerabilities. However, bulk wrench disabling would probably be sufficient.
In addition, hackers supported by governments or hacktivists driven by activism for a certain cause may use their weaknesses to disrupt or undermine an enemy's operations. Regardless of the possibility, all users should install updates as soon as they become available due to the risk of work stoppages or the potential to change essential settings.