Summary

A recently discovered security vulnerability affects several Bosch software applications and hardware systems. It potentially allows, after authorization, the access to arbitrary files on the system via the network interface. Bosch rates this vulnerability at CVSS v3.0 4.9 (Medium) and recommends customers to upgrade devices with fixed software versions.

As of 2019-04-04, updated firmware files are published on the Bosch Download Area (Link).

As of 2019-04-04, there is currently no indication that the exploitation code is either publicly known or utilized.

If a software update is not possible in a timely manner, a reduction in the systems network exposure is advised. Internet-accessible systems should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable devices.

The vulnerability was discovered and responsibly disclosed to Bosch by the external researcher Adrián Quirós Godoy.

Affected Products

Hardware

Bosch DIVAR IP 2000

For the Bosch DIVAR IP 2000 the following fixed firmware versions are suggested:

  • Vulnerable Versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62
  • Fixed Versions: 3.62.0019 (and newer)

Bosch DIVAR IP 5000

For the Bosch DIVAR IP 5000 the following fixed firmware versions are suggested:

  • Vulnerable Version: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62
  • Fixed Version: 3.80.0033 (and newer)

Software

Video Recording Manager (VRM)

For the VRM the following fixed firmware versions are suggested:

  • Vulnerable version: 3.10, 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; 3.70; 3.71 (except 3.71.0032 and newer)
  • Fixed Version: 3.71.0032; 3.81.0032 (and newer)

Bosch Video Management System (BVMS)

For the BVMS the following fixed firmware versions are suggested:

BVMS Version Vulnerable VRM Version (until and including) Fixed VRM Version (and later)
6.0 3.50.00XX Upgrade to BVMS 7.5
6.5 3.55.00XX Upgrade to BVMS 7.5
7.0 3.60.00XX Upgrade to BVMS 7.5
7.5 3.60.00XX 3.71.0032
7.5 3.70.0056 3.71.0032
8.0 3.70.0056 3.71.0032
9.0 3.81.0032 (Not vulnerable)


Solution

Software Updates

The recommended approach is to update the software of affected Bosch Products to a fixed version. If an update is not possible in a timely manner, the mitigation approach Firewalling can be utilized. A list of affected devices and fixed software versions is available in the “Affected Products” chapter of this document.

Mitigations and Workarounds

Firewalling (Network)

It is advised that the devices should not be exposed directly to the internet or other insecure networks. This includes port-forwarding, which would not protect devices adequately. Firewalling a device significantly reduces its attack surface.

Vulnerability Details

Vulnerability Classification and Solution Approach

This vulnerability is classified as ‘Path Traversal’ and is located in the webserver. It is accordingly ranked as “CWE-28: Path Traversal: ‘..\filedir’”. The server fix utilizes additional input neutralization checks. The vulnerability resides in the software since version 3.10. The vulnerability is fixed in version 3.80 or higher. Prior versions are considered unaffected.

The vulnerability can be used to remotely traverse through the file system to access files or directories that are outside of the restricted directory. This would enable a potential attacker, for example, to access restricted files on the target system. A necessary prerequisite for this attack is the network access to the webserver (HTTP / HTTPS) of the device and valid user credentials. An affected system should be secured by updating to a fixed version and changing passwords.

Vulnerability classification has been performed using the CVSSv3 scoring system (http://www.first.org/cvss/). The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] (pdf) Bosch BT Security Advisory
[2] Software updates: Bosch Download Area
[3] Bosch Building Technologies Security Advisory page
[4] (pdf) Hardening Guide
[5] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com.

Revision History

03 Apr 2019: Initial Publication