• Advisory ID: BOSCH-SA-425803-BT
  • CVE Numbers and Scores:
  • Published: 12 Jun 2019
  • Last Updated: 12 Jun 2019

Summary

On May 14th 2019, information related to the Remote Desktop Services Remote Code Execution Vulnerability of Microsoft Windows operating system was published. The flaw affects the following operating systems used by Bosch Security and Safety systems products:

  • Windows 7 (32-bit/x64)
  • Windows Server 2008 (32-bit/x64/Itanium)
  • Windows Server 2008 R2 (32-bit/x64/Itanium)

Bosch relies on a Microsoft Windows operating system for several products. Consequently, some devices are affected by the corresponding vulnerability. Depending on the products category, different configurations may be distinguished.

Category A: Directly affected devices, by default reachable via network on the vulnerable RDP Port 3389.

  • DIVAR IP 3000
  • DIVAR IP 6000 (only with Windows Storage Server 2008 R2)
  • DIVAR IP 7000 (only with Windows Storage Server 2008 R2)
  • HP Workstation (only with Windows 7)
  • HP Server DL 380 (only with Windows Server 2008 R2)

Category B: Devices shipped by default with deactivated RDP, which can be re-enabled by the customer.

  • DIVAR IP 2000

Category C: Devices shipped with disabled RDP services and additional firewall rules.

  • VIDEOJET decoder 7000
  • VIDEOJET decoder 8000

Affected Products

  • Bosch DIVAR IP 2000 with configuration: RDP services explicitly re-enabled
    • CVE-2019-0708
  • Bosch DIVAR IP 3000
    • CVE-2019-0708
  • Bosch DIVAR IP 6000 on: Windows Storage Sever 2008 R2
    • CVE-2019-0708
  • Bosch DIVAR IP 7000 on: Windows Storage Sever 2008 R2
    • CVE-2019-0708
  • Bosch HP Server DL380 on: Windows Server 2008 R2
    • CVE-2019-0708
  • Bosch HP Workstation on: Windows 7
    • CVE-2019-0708
  • Bosch VIDEOJET decoder 7000 is not affected
    • CVE-2019-0708
  • Bosch VIDEOJET decoder 8000 is not affected
    • CVE-2019-0708

Solution and Mitigations

Software and Firmware Update

It is recommended for any Bosch device to update its operating system and supported firmware to the latest patch level. Microsoft provides for this vulnerability additional information on its homepage. For products of each category, an individual approach is advised:

  • Category A: Please log into the system with an administrative account (e.g. BVRAdmin) and install the CVE-2019-0708 patch either manually from the Microsoft website or via the auto update feature of the operating system.
  • Category B: Please deactivate the devices debugging RDP service. Use the debugging feature only in a secure network environment. The necessary operating system patches will be included in the next firmware release.
  • Category C: The RDP service is not accessible in any configuration. No action or fix is required.

Disable Remote Desktop Services

If you no longer need Remote Desktop Services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

Vulnerability Details

CVE-2019-0708

A prerequisite for a successful attack is network access to the RDP service on port 3389 on the targeted Windows operating system. Firewalled and systems with the latest security updates are not vulnerable.

CVE description: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] (pdf) Bosch Building Technologies Security Advisory
[2] Microsoft Advisory for CVE-2019-0708
[3] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com.

Revision History

12 Jun 2019: Initial Publication