Advisory Information

• Advisory ID: BOSCH-2019-0403-BT
• CVE Number: CVE-2019-6957
• Published: 03 Apr 2019
• Last Updated: 03 Apr 2019
• CVSSv3 Scores:
  • CWE-120 : Buffer Copy without Checking Size of Input
    • CVSS 3.0 Base Score: 9.8, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • CVSS 3.0 Environmental Score in closed networks: 8.8, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAV:A

Summary

A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The exact list of affected software versions is available in appendix A of the BT advisory [1] .

The vulnerability potentially allows the unauthorized execution of code in the system via the network interface.

In cases where a software update is not possible, a reduction in the system’s network exposure is advised. Internet-accessible installations should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable systems. In addition the firewall on the hosts shall be activated and set according to BVMS and BIS configuration manual. See section “Firewall on host” in “Mitigations and Workaround”.

Affected Products

For a detailled list of affected products and fixed software versions, please see [1] .

• Bosch Video Management Systems (BVMS):
  • BVMS 6.0
  • BVMS 6.5
  • BVMS 7.0
  • BVMS 7.5
  • BVMS 8.0
  • BVMS 9.0
• DIVAR IP products:
  • DIP 2000 / 5000
  • DIP 3000
  • DIP 7000 Gen1
  • DIP 7000 Gen2
• Video Recording Manager (VRM) software:
  • Video Recording Manager (VRM)
  • Video Streaming Gateway (VSG)
• Other software:
  • Configuration Manager
  • Video SDK (VSDK)
  • Bosch Video Client (BVC)
• Building Integration System (BIS):
  • BIS 2.2 to 4.4
  • BIS 4.5, 4.6 and 4.6.1
• Access Professional Edition (APE):
  • all versions < 3.0
  • APE 3.0 to APE 3.7 (only affected if Third-Party component VSDK is installed; see Control Panel\Programs\Programs and Features\Bosch VideoSDKxx.xx.xxxx)
• Access Easy Controller (AEC):
  • all versions < 2.1.8.5
  • 2.1.8.5
  • 2.1.9.0
  • 2.1.9.1
  • 2.1.9.3

Solution

Software Updates

The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. A list of affected software versions is available in appendix A of the BT security advisory [1] . Patch and installation procedure for the latest BIS versions is available on the Bosch Download Area [2] .

Mitigations and Workarounds

In case the referenced software patches cannot be applied, e.g. for BVMS versions 7.0 and earlier, before updating to the latest version, the following measures could mitigate the associated risk.

Firewalling (network)

It is advised that the system should not be exposed directly to the internet or other insecure networks. This includes portforwarding, which would not protect systems adequately. Firewalling a device significantly reduces its attack surface. Disable IP-port forwards on the external / internet router for the following services: Video Recording Manager (VRM), Video Streaming Gateway (VSG) and Mobile Video Service (MVS). SSH can still be used. (SSH: Secure Shell, a secure communication protocol enabling encryption and mutual authentication.)

Firewall on host

For BVMS, DIP, VRM, BIS, APE, AEC and BIS:

• Block port: 40080 TCP

For VSG:

• Block port ranges:
  • 8080-8086 TCP
  • 8443-8450 TCP

Firewalling should be applied to limit the communication to known devices. In general we recommend to open required ports only. Configure BVMS according the following guidelines. (see configuration manual):

• https://resource.boschsecurity.com/documents/BVMS_9.0_Configuration_Manual_enUS_63356961291.pdf
• https://resource.boschsecurity.com/documents/BVMS_8.0_Configuration_Manual_enUS_35168523659.pdf
• https://resource.boschsecurity.com/documents/BoschVMS_Configuration_Manual_enUS_28154357131.pdf

Building Integration System (BIS) without Video Engine

BIS installations without Video Engine are not affected. In case Video Engine (VSDK) was installed earlier and is not needed any more, e.g. BVMS is used instead of Video Engine, uninstall VSDK from BIS Client and delete Video Engine folder from BIS Server: C:\Mgts\ClientDeploy\Packages\Video_Engine

Vulnerability Details

This vulnerability is classified as ‘buffer overflow’, located in the RCP+ parser of the webserver. It is accordingly ranked as “CWE-120: Buffer Copy without Checking Size of Input”. The parser fix utilizes additional input and target-buffers checks.

• CWE-120 : Buffer Copy without Checking Size of Input
  • CVSS 3.0 Base Score: 9.8, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVSS 3.0 Environmental Score in closed networks: 8.8, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAV:A

The vulnerability can be used to remotely execute code on the system (RCE). This would enable a potential attacker, for example, to shutdown and start services or access video data. Necessary prerequisite for this attack is the network access to the webserver (HTTP / HTTPS) of the system.

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] (pdf) Bosch BT Security Advisory
[2] Software updates: Bosch Download Area
[3] Bosch Building Technologies Security Advisory page
[4] (pdf) Hardening Guide
[5] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

03 Apr 2019: Initial Publication