As production lines become increasingly reliant on interconnected computer systems, the risk of cybercriminal exploitation looms large.
In this blog, we detail new vulnerabilities discovered in the Bosch Rexroth NXA015S-36V-B, a popular smart nutrunner (pneumatic torque wrench) used in automotive production lines. We demonstrate that these vulnerabilities could make it possible to implant ransomware on the device, which could be used to cause production line stoppages and potentially large-scale financial losses to asset owners. Another exploitation would allow the threat actor to hijack tightening programs while manipulating the onboard display, causing undetectable damage to the product being assembled or making it unsafe to use. Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening.
In critical applications, the final torque levels applied to mechanical fastenings are calculated and engineered to ensure that the overall design and operational performance of the device is met. As an example, bolts, nuts and fixtures used in electrical switchboards must be torqued appropriately to ensure that connections between current carrying components, such as high voltage busbars, maintain a low resistance. A loose connection would result in higher operating temperatures and could, over time, cause a fire.
As these vulnerabilities, primarily in the NEXO-OS operating system, have yet to be patched, we will not reveal any technical details in this blog. Bosch Rexroth has committed to releasing patches by the end of January 2024. In the interim, this article contains some mitigations that asset owners can implement to safeguard against cyberattacks. For Nozomi Networks customers, our Threat Intelligence service has been updated to identify any exploitation attempts related to these issues.
The Bosch Rexroth NXA015S-36V-B and NEXO-OS
The NXA015S-36V-B is a cordless, handheld pneumatic torque wrench (nutrunner) in the Bosch Rexroth NXA Angle head family. It is specifically engineered for safety-critical tightening operations falling under category A of VDI 2862, a standard established by the Association of German Engineers (VDI) and adopted by the automotive industry in 1999.
The nutrunner is equipped with a visual display presenting real-time data and activity results to the operator. Additionally, it has the capability to connect to a wireless network through its embedded Wi-Fi module. In this configuration, data can be transmitted using various supported protocols to a designated historian server, and the device can be remotely reprogrammed using the management services provided by its NEXO-OS operating system.
NEXO-OS serves as the Linux-based operating system powering the nutrunner. It presents a range of application choices, encompassing tightening system configuration, the generation of tightening programs by specifying processes, and the analysis and diagnosis of tightening cases, through the exposed management web application. It also supports a wide range of communication protocols such as Rexroth OpenProtocol, VW-XML, and BMW-TPC, so that the nutrunner can be seamlessly integrated with SCADA systems, PLCs, or other production devices.
The majority of the vulnerabilities identified by Nozomi Networks Labs affected the management web application, although a few were found in the services parsing the mentioned protocols. In the next section we outline the key impacts that could result from the exploitation of these flaws. The full list of vulnerabilities can be found immediately after it.
What Are the Impacts of These Vulnerabilities?
The vulnerabilities found on the Bosch Rexroth NXA015S-36V-B allow an unauthenticated attacker who is able to send network packets to the target device to obtain remote execution of arbitrary code (RCE) with root privileges, completely compromising it. Once this unauthorized access is gained, numerous attack scenarios become possible. Within our lab environment, we successfully reconstructed the following two scenarios:
- Ransomware: we were able to make the device completely inoperable by preventing a local operator from controlling the drill through the onboard display and disabling the trigger button. Furthermore, we could alter the graphical user interface (GUI) to display an arbitrary message on the screen, requesting the payment of a ransom. Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner.
- Manipulation of Control and View: we managed to stealthily alter the configuration of tightening programs, such as by increasing or decreasing the target torque value. At the same time, by patching in-memory the GUI on the onboard display, we could show a normal value to the operator, who would remain completely unaware of the change.
Aside from the potential health and safety risks which may arise from improperly torqued fastenings in critical devices, the potential for business harm extends into other types of losses.
An overtightened connection places excess stress on the bolt and nut which, again over time, will cause premature failure of the fixture possibly through failure of the threads themselves, or possibly exceeding the elastic limits of the material resulting in deformation. As the fixture stretches or the threads fail, the connection integrity is compromised, again resulting in a loose connection. These types of mechanical failures cause not only loss of revenue and productivity to the end user and customer but are likely to result in excessive warranty claims and reputational damage to your business and could amount to a significant financial risk or loss over an extended period of time.
Depending on a manufacturer’s use and business configuration, devices such as the nutrunner may form a critical part of the quality management and assurance program in an enterprise, possibly even the last line of quality assurance. Compromise of the integrity in this final link in the quality chain may be difficult to detect, and have far reaching financial consequences resulting from compromised production quality over time.
Vulnerability List and Affected Versions
The following table lists all vulnerabilities found, ordered by CVSS v3.1 base score.
All CVEs affect the following versions of NEXO-OS:
- <= NEXO-OS V1500-SP2
All CVEs affect the following Bosch Rexroth products:
- Rexroth Nexo cordless nutrunner NXA011S-36V (0608842011)
- Rexroth Nexo cordless nutrunner NXA011S-36V-B (0608842012)
- Rexroth Nexo cordless nutrunner NXA015S-36V (0608842001)
- Rexroth Nexo cordless nutrunner NXA015S-36V-B (0608842006)
- Rexroth Nexo cordless nutrunner NXA030S-36V (0608842002)
- Rexroth Nexo cordless nutrunner NXA030S-36V-B (0608842007)
- Rexroth Nexo cordless nutrunner NXA050S-36V (0608842003)
- Rexroth Nexo cordless nutrunner NXA050S-36V-B (0608842008)
- Rexroth Nexo cordless nutrunner NXA065S-36V (0608842013)
- Rexroth Nexo cordless nutrunner NXA065S-36V-B (0608842014)
- Rexroth Nexo cordless nutrunner NXP012QD-36V (0608842005)
- Rexroth Nexo cordless nutrunner NXP012QD-36V-B (0608842010)
- Rexroth Nexo cordless nutrunner NXV012T-36V (0608842015)
- Rexroth Nexo cordless nutrunner NXV012T-36V-B (0608842016)
- Rexroth Nexo special cordless nutrunner (0608PE2272)
- Rexroth Nexo special cordless nutrunner (0608PE2301)
- Rexroth Nexo special cordless nutrunner (0608PE2514)
- Rexroth Nexo special cordless nutrunner (0608PE2515)
- Rexroth Nexo special cordless nutrunner (0608PE2666)
- Rexroth Nexo special cordless nutrunner (0608PE2673)
There are diverse methods through which an attacker could potentially execute root-level code on the device. For example, take the web management interface, which is always exposed on the network. With a valid account, even with the least-available privileges, exploiting issues like the path traversal in file upload (CVE-2023-48243) would be adequate to achieve the target. An unauthenticated attacker might still succeed by chaining this with the exploitation of other issues to initially gain valid authenticated access to the device, such as the abuse of one of the hardcoded accounts (CVE-2023-48250). This attack chain is represented in the diagram in Figure 4.
Additionally, if any of the communication protocols for the integration with other systems (e.g., OpenProtocol) are enabled, exploiting the device becomes as simple as abusing just one of the identified buffer overflow vulnerabilities (such as CVE-2023-48265), as they all can be triggered without providing authentication details. This attack is depicted in Figure 5.
Today, a wide variety of vulnerabilities are discovered every day, and it is safe to say that most attacks, especially in OT and IoT environments, don’t reach the entire potential damage, not because of the lack of access and unauthorized control, but only because the hacker itself doesn’t know how to use the devices they are breaking into. Nonetheless, it is extremely important to always be aware and proactive in anticipating these vulnerabilities because their potential damage, as we demonstrated, is undoubtedly devastating. In the next section, we provide some workarounds that asset owners can enact to mitigate these issues.
Bosch Rexroth is set to deliver official patches by the end of January 2024. In the meanwhile, we advise adopting the following mitigations to protect against cyberattacks:
- Given that some vulnerabilities are 0-click unauthenticated root RCE, we recommend restricting the network reachability of the device as much as possible, so that only authorized personnel and trusted computers/servers can communicate with it;
- As some vulnerabilities can be exploited by authenticated users only, we suggest reviewing all accounts that have login access to the device and delete unnecessary ones;
- Finally, a few vulnerabilities require authenticated users to click on links or visit malicious webpages while logged in to the management web application. To counteract these, we advise being cautious when opening untrusted links or visiting external websites with a browsing session to the management web application in progress.
Nozomi Networks customers may detect exploitation attempts against these vulnerabilities, or vulnerable devices in their network, by downloading the latest update of the Threat Intelligence feed.
While two general attack examples are discussed here, it is worth the effort to assess the potential impact of any of these attacks to your organization and technologies, either applied alone or in combination.
A group of malicious hackers might render an assembly line unusable if you don’t pay a fortune in crypto currency to the threat group. A resulting ransom demand may be millions of dollars, before considering the remediation and response costs. Finally, availability and quality disruptions could result in reputational damage, especially if an organization is unprepared for downtime or a product is unavailable for an extended period of time.
Long term, unmitigated alteration could affect the product quality, forcing you to recall thousands of products already in the market. A threat group or individual might reach out to you revealing a potential flaw in the manufacturing process, but not giving the entire details until you pay for it. The implications are extensive, from potentially dangerous accidents to complex lawsuits derived from defective product operations, and the potential for ransomware – the sky is the limit when it comes to potential impacts.
Fortunately, vulnerabilities have been researched and disclosed by our team and we are working together with the manufacturer to provide timely information and collaborate in the delivery of patches to the public.
The Nozomi Networks solution closes the security gaps by detecting potential attacks and providing visibility of existing vulnerabilities, while our Nozomi Labs team constantly tests products and detects new vulnerabilities, giving customers and manufacturers the edge in their security environments.