January 15, 2024 at 11:44AM
Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners, allowing attackers to execute arbitrary code. Bitdefender discovered the BCC100 thermostat flaw, which Bosch addressed in November 2023. Additionally, Rexroth nutrunners have over two dozen vulnerabilities, with patches expected by January 2024. These vulnerabilities could be used by attackers for nefarious activities.
Meeting Takeaways:
1. Bosch BCC100 Thermostats Vulnerabilities:
– Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats.
– Exploitation of these vulnerabilities could allow attackers to execute arbitrary code on affected systems.
– The high-severity vulnerability, tracked as CVE-2023-49722, was addressed by Bosch in November 2023.
– Bosch has corrected the vulnerabilities in firmware version 4.13.33 by closing the open port 8899, which was used for debugging purposes.
2. Rexroth NXA015S-36V-B Smart Nutrunners Vulnerabilities:
– Over two dozen critical flaws have been identified in Rexroth NXA015S-36V-B smart nutrunners by Nozomi Networks.
– These vulnerabilities could be used to disrupt operations, tamper with critical configurations, and even install ransomware.
– The vulnerabilities could lead to remote execution of arbitrary code (RCE) and compromise the safety of the assembled product.
– Patches for the vulnerabilities impacting several devices are expected to be shipped by Bosch by the end of January 2024.
3. Lantronix EDS-MD IoT Gateway Vulnerabilities:
– Pentagrid identified vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices, including one that could be used to execute arbitrary commands as root.
– Users are recommended to review accounts that have login access to the device and limit its network reachability as much as possible.
Overall, the meeting discussed the significant security vulnerabilities in Bosch BCC100 thermostats, Rexroth NXA015S-36V-B smart nutrunners, and Lantronix EDS-MD IoT gateway. Efforts are underway to address these vulnerabilities and prevent potential exploitation.