Covertly tampering with tightening programs also carries potential health and safety risks: As the recent in-flight emergency involving a Boeing 737 Max 9 plane operated by Alaska Airlines has shown, inadequately tightened bolts can lead to extremely dangerous situations.
The Bosch Rexroth NXA015S-36V-B nutrunner is powered by NEXO-OS, a Linux-based operating system that allows users to generate and configure tightening programs and analyse and diagnose tightening cases via the management web application.
It has a built-in display and connects to wireless networks via an embedded Wi-Fi module.
The device supports a number of communication protocols that are used to integrate it with SCADA systems, PLCs, or other production devices.
The management web app is exposed on the internet by default, they say.
They also told us that most of the vulnerabilities are remotely exploitable - an attacker does not need to be on the same subnet to compromise vulnerable devices.
Bosch Rexroth nutrunners are widely used in automotive production lines.
Determined threat actors could leverage the vulnerabilities to stop the production or affect the quality of manufactured products, leading to delays, product recalls, reputational damage, accidents, etc.
There has been no mention of these vulnerabilities being exploited by threat actors, but once technical details and updated firmware are made available, there's a chance some enterprising, skilled attackers might find it profitable to do the same research and use what they discovered.
As confirmed by Bosch Rexroth, the vulnerabilities affect Nexo cordless nutrunners from the NXA, NXP and NXV series, as well as a number of other similar devices.
For now, Nozomi refrained from publishing technical details about the vulnerabilities.
Bosch Rexroth says that roughly half of the vulnerabilities will be fixed in the updated firmware version that will be released later this month, and has provided mitigation advice for CVE-2023-48257.
The researchers advise restricting the network reachability of the device as much as possible and reviewing all accounts that have login access to the devices and delete unnecessary ones.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 09 Jan 2024 16:13:45 +0000