OTPulse
FeedAboutContact

CAREL Boss-Mini

Act Now9.8ICS-CERT ICSA-24-172-02Jun 20, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

CAREL Boss-Mini contains a path traversal vulnerability (CWE-22) that allows an attacker to manipulate an argument path, leading to information disclosure. Affected version: 1.4.0 (Build 6221). CAREL has released a fix in version 1.6.0 or later.

What this means
What could happen
An attacker could read sensitive configuration files or operational data from the Boss-Mini controller, potentially exposing process parameters, system settings, or other information that could be used to plan further attacks or disrupt operations.
Who's at risk
Water authorities and utilities operating CAREL Boss-Mini temperature and humidity control systems, particularly those running version 1.4.0 (Build 6221). The Boss-Mini is commonly used in HVAC control and facility management applications in critical infrastructure environments.
How it could be exploited
An attacker with network access to the Boss-Mini device could craft a malicious request using path traversal characters (such as ../ or absolute paths) to bypass access controls and read files outside the intended application directory. This requires no authentication if the vulnerable function is exposed on a network-facing interface.
Prerequisites
  • Network access to the Boss-Mini device (port and service not specified in advisory)
  • No authentication required based on CVSS vector PR:N
Remotely exploitable over networkNo authentication requiredLow complexity attackHigh EPSS score (39.2%)Affects information confidentialityPath traversal (CWE-22)
Exploitability
High exploit probability (EPSS 39.2%)
Affected products (1)
ProductAffected VersionsFix Status
Boss-Mini: 1.4.0_(Build_6221)1.4.0 (Build 6221)1.6.0 or later
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGChange all default login credentials on the Boss-Mini device
HARDENINGImplement strong passwords using uppercase, lowercase, numbers, and special characters
HARDENINGEnsure Boss-Mini is not accessible from the internet; place behind a firewall
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Boss-Mini firmware to version 1.6.0 or later
Long-term hardening
0/1
HARDENINGDeploy the Boss-Mini in a segregated internal network away from the business network, following CAREL's security guidance (doc code +030220471)
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1bcb69b3-8b82-4f64-9cdd-8f46f7c69417
CAREL Boss-Mini | CVSS 9.8 - OTPulse