CVE-2021-23858
📋 TL;DR
This vulnerability allows unauthenticated attackers to access sensitive configuration data including user credentials and device information through unprotected web server resources. It affects Bosch Rexroth ctrlX CORE devices running vulnerable firmware versions. Attackers can retrieve hashed passwords and device details without any authentication.
💻 Affected Systems
- Bosch Rexroth ctrlX CORE
📦 What is this software?
Rexroth Indramotion Mlc L20 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc L20 Firmware →
Rexroth Indramotion Mlc L25 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc L25 Firmware →
Rexroth Indramotion Mlc L40 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc L40 Firmware →
Rexroth Indramotion Mlc L45 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc L45 Firmware →
Rexroth Indramotion Mlc L65 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc L65 Firmware →
Rexroth Indramotion Mlc L75 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc L75 Firmware →
Rexroth Indramotion Mlc L85 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc L85 Firmware →
Rexroth Indramotion Mlc Xm21 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc Xm21 Firmware →
Rexroth Indramotion Mlc Xm22 Firmware by Bosch
View all CVEs affecting Rexroth Indramotion Mlc Xm22 Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials, gain full control of affected devices, pivot to internal networks, and potentially cause physical damage in industrial environments.
Likely Case
Attackers harvest user credentials and device information for reconnaissance, credential stuffing attacks, or to identify vulnerable systems for further exploitation.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure without enabling further system compromise.
🎯 Exploit Status
Simple HTTP requests to specific unprotected endpoints can retrieve sensitive data. No special tools or skills required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware V1.5 and later
Vendor Advisory: https://psirt.bosch.com/security-advisories/bosch-sa-741752.html
Restart Required: Yes
Instructions:
1. Download firmware V1.5 or later from Bosch Rexroth support portal. 2. Backup device configuration. 3. Apply firmware update via web interface or local update method. 4. Verify update completed successfully. 5. Restart device.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks using firewalls or VLANs.
Access Control Lists
allImplement IP-based restrictions to limit access to web interface.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate devices from untrusted networks
- Deploy web application firewall to block access to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Attempt HTTP GET requests to /api/v1/configuration and /api/v1/device endpoints without authentication. If configuration data or device details are returned, system is vulnerable.Check Version:
Check firmware version in web interface under System Information or via SSH: cat /etc/ctrlx-versionVerify Fix Applied:
After patching, attempt same HTTP requests. Should receive authentication required error or no sensitive data.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful access to configuration endpoints
- Unusual access patterns to /api/v1/configuration or /api/v1/device
Network Indicators:
- HTTP GET requests to vulnerable endpoints from unauthorized IP addresses
- Traffic patterns indicating credential harvesting
SIEM Query:
source="web_server" AND (uri="/api/v1/configuration" OR uri="/api/v1/device") AND response_code=200 AND auth_status="none"