Summary

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.

Bosch relies on a Microsoft Windows operating system for several products. Consequently, some devices are affected by the corresponding vulnerability. Depending on the products category, different configurations may be distinguished.

Category A: Directly affected devices, by default reachable via network on the vulnerable RDP Port 3389.

  • DIVAR IP 3000
  • DIVAR IP 6000
  • DIVAR IP 7000
  • DIVAR IP all-in-one 5000
  • HP Workstation
  • HP Server DL380

Category B: Devices shipped by default with deactivated RDP, which can be re-enabled by the customer.

  • DIVAR IP 2000
  • DIVAR IP 5000
  • UGM 2040 plus

Category C: Devices shipped with disabled RDP services and additional firewall rules.

  • VIDEOJET decoder 7000
  • VIDEOJET decoder 8000

Affected Products

  • Bosch DIVAR IP 2000 with configuration: RDP services explicitly re-enabled
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch DIVAR IP 3000
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch DIVAR IP 5000 with configuration: RDP services explicitly re-enabled
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch DIVAR IP 6000
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch DIVAR IP 7000
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch DIVAR IP all-in-one 5000
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch HP Server DL380
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch HP Workstation
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch UGM 2040 plus with configuration: RDP services explicitly re-enabled
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch VIDEOJET decoder 7000 is not affected
    • CVE-2019-1181
    • CVE-2019-1182
  • Bosch VIDEOJET decoder 8000 is not affected
    • CVE-2019-1181
    • CVE-2019-1182

Solution and Mitigations

Software and Firmware Update

It is recommended for any Bosch device to update its operating system and supported firmware to the latest patch level. For products of each category, an individual approach is advised:

  • Category A: Please log into the system with an administrative account (e.g. BVRAdmin) and install the CVE-2019-1181 / CVE-2019-1182 patch either manually from the Microsoft website or via the auto update feature of the operating system.
  • Category B: Please deactivate the devices debugging RDP service. Use the debugging feature only in a secure network environment. The necessary operating system patches will be included in the next firmware release.
  • Category C: The RDP service is not accessible in any configuration. No action or fix is required.

Disable Remote Desktop Services

If you no longer need Remote Desktop Services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

Vulnerability Details

CVE-2019-1181

This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. A prerequisite for a successful attack is network access to the RDP service on port 3389 on the targeted Windows operating system. Firewalled and systems with the latest security updates are not vulnerable.

CVE description: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1182, CVE-2019-1222, CVE-2019-1226.

CVE-2019-1182

The same additional description as for CVE-2019-1181 applies.

CVE description: A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1181, CVE-2019-1222, CVE-2019-1226.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] (pdf) Bosch Building Technologies Security Information
[2] Microsoft Advisory for CVE-2019-1181
[3] Microsoft Advisory for CVE-2019-1182
[4] Microsoft Blog Post about CVE-2019-1181 and CVE-2019-1182
[5] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com.

Revision History

03 Sep 2019: Initial Publication