BOSCH-SA-013924-BT: Multiple vulnerabilities were identified in BF-OS version 3.x up to and including 3.83 used by Bigfish V3 and PR21 (Energy Platform) devices and Bigfish VM image, which are part of the data collection infrastructure of the Energy Platform solution.The most critical vulnerability may allow an unauthenticated remote attacker to gain administrative privileges to the device by brute-forcing a weak password. The second vulnerability may allow a remote authenticated attacker to gain unauthorized read access to local operating system files outside the web server root.Both vulnerabilities are closed with BF-OS version 3.84, which Bosch will install remotely to affected customers after agreeing on a suitable maintenance window. Affected customers do not have to take further action.The vulnerabilities were identified in an internal penetration test. Bosch is currently not aware of exploitation of these vulnerabilities in the wild.


https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html