Bosch Rexroth IndraDrive PROFINET DoS Vulnerability Advisory (CVE-2024-48989)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: BOSCH-SA-315415 2. Vulnerability Number and CVSS v3.1 Score: - CVE-2024-48989 - Base Score: 7.5 (High) 3. Release Date: October 31, 2024 4. Update Date: October 31, 2024 5. Affected Products: - Bosch Rexroth AG IndraDrive FWA-INDRV MP - Versions: 17VRS < 20V36 6. Solution and Mitigation: - As of October 31, 2024, the vulnerability has been fixed. It is recommended to update the devices as soon as possible. - If device updates are not feasible, compensating controls such as network segmentation are advised. 7. Vulnerability Details: - Description: A vulnerability exists in the PROFINET stack implementation of Bosch Rexroth’s IndraDrive (all versions), allowing an attacker to send arbitrary UDP messages and cause the device to become unresponsive. - Type: CWE-400 - Uncontrolled Resource Consumption - CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Base Score: 7.5 (High) 8. Notes: - Security Update Obligation: According to EU Directives 2019/770 and 2019/771 and their national transposition laws, you are responsible for downloading and installing any security updates we provide to maintain product or data security. We will not be liable for product defects if provided security updates are not installed within a reasonable time. - CVSS Scoring: Vulnerability classification uses the CVSS v3.1 scoring system. Environmental scoring should be defined by the customer based on their specific environment. 9. Additional Resources: - Bosch Rexroth Security Handbook: https://www.boschrexroth.com/various/utilities/mediadirectory/download/index.jsp?object_nr=R911342562 - Contact Bosch PSIRT: For feedback, comments, or additional information regarding this vulnerability, please contact psirt@bosch.com. 10. Revision History: October 31, 2024: Initial release. 11. Appendix: The vulnerability was responsibly discovered and disclosed by Roni Gavrilov of OTORIO. We thank them for their collaboration.

Goal Reached Thanks to every supporter — we hit 100%!

Bosch Rexroth IndraDrive PROFINET DoS Vulnerability Advisory (CVE-2024-48989)