Advisory Information

Summary

A recently discovered security vulnerability affects several Bosch software applications and hardware systems. It potentially allows the attacker to redirect users to an arbitrary URL. Bosch rates this vulnerability at CVSS v3.0 6.1 (Medium) and recommends customers to upgrade devices with fixed software versions.

As of 2019-04-04, updated firmware files are published on the Bosch Download Area ( Link ).

As of 2019-04-04, there is currently no indication that the exploitation code is either publicly known or utilized.

If a software update is not possible in a timely manner, a reduction in the systems network exposure is advised. Internet-accessible systems should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable devices.

The vulnerability was discovered and responsibly disclosed to Bosch by the external researcher Adrián Quirós Godoy.

Affected Products

Hardware

Bosch DIVAR IP 2000

For the Bosch DIVAR IP 2000 the following fixed firmware versions are suggested:

  • Vulnerable Versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62
  • Fixed Versions: 3.62.0019 (and newer)

Bosch DIVAR IP 5000

For the Bosch DIVAR IP 5000 the following fixed firmware versions are suggested:

  • Vulnerable Version: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62
  • Fixed Version: 3.80.0033 (and newer)

Software

Video Recording Manager (VRM)

For the VRM the following fixed firmware versions are suggested:

  • Vulnerable Version: 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62
  • Fixed version: 3.70.0056 (and newer); 3.81.0032 (and newer)

Bosch Video Management System (BVMS)

For the BVMS the following fixed firmware versions are suggested:

BVMS Version Vulnerable VRM Version (until and including) Fixed VRM Version (and later)
6.0 3.50.00XX Upgrade to BVMS 7.5
6.5 3.55.00XX Upgrade to BVMS 7.5
7.0 3.60.00XX Upgrade to BVMS 7.5
7.5 3.60.00XX 3.70.0056
7.5 3.70.0056 (Not vulnerable)
8.0 3.70.0056 (Not vulnerable)
9.0 3.81.0032 (Not vulnerable)


Solution

Software Updates

The recommended approach is to update the software of affected Bosch Products to a fixed version. If an update is not possible in a timely manner, the mitigation approach Firewalling can be utilized. A list of affected devices and fixed software versions is available in the “Affected Products” chapter of this document.

Mitigations and Workarounds

Firewalling (Network)

It is advised that the devices should not be exposed directly to the internet or other insecure networks. This includes port-forwarding, which would not protect devices adequately. Firewalling a device significantly reduces its attack surface.

Vulnerability Details

Vulnerability Classification and Solution Approach

This vulnerability is classified as ‘Open Redirect’ and is located in the webserver. It is accordingly ranked as “CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)”. The webserver fix utilizes additional sanitizing steps. The vulnerability resides in the software since version 3.10. The vulnerability is fixed in version 3.80 or higher. Prior versions are considered unaffected.

The vulnerability can be used to allow an attackers to redirect users to an arbitrary URL. This would enable a potential attacker, for example, to successfully redirect the user-request in the web browser to a potentially malicious website. A commonly necessary prerequisite for this attack is an internet connected system. An affected Bosch system should be secured by updating to a fixed version and changing passwords.

Vulnerability classification has been performed using the CVSSv3 scoring system (http://www.first.org/cvss/) . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] (pdf) Bosch BT Security Advisory
[2] Software updates: Bosch Download Area
[3] Bosch Building Technologies Security Advisory page
[4] (pdf) Hardening Guide
[5] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

03 Apr 2019: Initial Publication