CVE-2021-23842 MEDIUM

CVE-2021-23842: Use of Hard-coded Cryptographic Key

Vendor Bosch
Product AMS
Weakness CWE-321
Published January 19, 2022
Last update September 16, 2024

CVSS base score

5.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\'s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet.

Key dates

02Disclosure timeline

January 19, 2022 CVE published
September 16, 2024 Record updated