Summary

Two issues have been discovered affecting the Bosch digital recorder DIVAR 400 & 600 series, which do not reflect current state-of-the art technology. These issues apply to recorders which are connected to an open network. Bosch strongly recommends to operate the digital recorder DIVAR 400 & 600 series in a closed network. The mentioned vulnerabilities do not apply as long as the recorder is operated in a closed network.

Affected Products

The affected products are Bosch digital recorder DVR 400 & 600 series. These products were announced end of life in 2014.

Solution

Closed network

Bosch strongly recommends to operate the digital recorder DVR 400 & 600 series in a closed network. The above vulnerabilities do not apply as long as the recorder is operated in a closed network.

Upgrade hardware

Customers who want to operate their recorder in an open network are strongly advised to update their recorder to the latest Bosch recording portfolio (DIVAR Hybrid and Network recording solutions).

Vulnerability Details

These vulnerabilities are classified as ‘Improper Access Control’ and ‘Unprotected Credentials’. It is accordingly ranked as “CWE-284: Improper Access Control” and “CWE-522: Insufficiently Protected Credentials”.

The first issue, improper access control, concerns the ability to access information in the application without authenticating. By accessing a specific uniform resource locator (URL) on the built-in webserver, a malicious user might able the access information in the application. The second issue is that passwords are presented in a file that is accessible without authentication. In addition to that, the administrator credentials could be acquired by XML injection of the shell code. It is important to note that this issue is severe; when obtaining the administrator credentials, root access can be acquired and the availability system is at risk.

Vulnerability classification has been performed using the CVSSv3 scoring system (http://www.first.org/cvss/). The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Acknowledgement

The vulnerability was discovered and disclosed to Bosch in a coordinated manner by the external researcher, Maxim Rupp.

Additional Resources

  1. (pdf) Bosch BT Security Advisory
  2. Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com.

Revision History

22 Jan 2019: Initial Publication