CVE-2021-23845
📋 TL;DR
This session hijacking vulnerability in Bosch B426/B429 configuration web pages allows attackers to take over authenticated user sessions. Affected systems include Bosch B426-CN/B429-CN and B426-M devices running vulnerable software versions. The vulnerability enables unauthorized access to device configuration interfaces.
💻 Affected Systems
- Bosch B426-CN
- Bosch B429-CN
- Bosch B426-M
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attacker to reconfigure security settings, disable protections, or use device as pivot point into internal networks.
Likely Case
Unauthorized access to device configuration leading to service disruption, data exposure, or security policy changes.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to configuration interfaces.
🎯 Exploit Status
Requires attacker to intercept or predict session tokens while user is actively using configuration interface. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.08 and later
Vendor Advisory: https://psirt.bosch.com/security-advisories/bosch-sa-196933-bt.html
Restart Required: Yes
Instructions:
1. Download firmware version 3.08 or later from Bosch support portal. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Reboot device. 5. Verify version shows 3.08 or higher.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to configuration interface to trusted management networks only
Configure firewall rules to block external access to device management IP/ports
Session Timeout Reduction
allReduce session timeout values to limit window for session hijacking
Configure web interface session timeout to minimum practical value
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict access controls
- Implement network monitoring for unusual access patterns to configuration interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > About or similar menu. If version is below 3.08, device is vulnerable.Check Version:
Access device web interface and navigate to System Information/About pageVerify Fix Applied:
After patching, verify version shows 3.08 or higher in System > About. Test session management by logging out and confirming session termination.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from different IP
- Session ID reuse from different source IPs
- Configuration changes from unexpected IP addresses
Network Indicators:
- Unusual traffic patterns to device management ports
- Session token interception attempts
- Multiple connections to configuration interface from same source
SIEM Query:
source_ip!=allowed_management_ip AND dest_port=443 AND uri_path CONTAINS "/config/" AND http_status=200