Advisory Information

Summary

Recently discovered security vulnerabilities affect the ProSyst mBS SDK and Bosch IoT Gateway Software. They potentially allow to access sensitive information, write and delete data on the host system and forge HTTP GET request on behalf of the server via the network interface. Bosch rates these vulnerabilities with CVSSv3 base scores from 9.1 (Critical) to 5.3 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment. Customers are recommended to upgrade to the fixed versions.

As of August 19th, 2019, updated releases are available and offered to all customers via customer support or sales. Depending on the major version in use, a previous update has already fixed some of the vulnerabilities.

As of August 19th, 2019, there is currently no indication that exploitation code is either publicly known or utilized.

The vulnerabilities were discovered and disclosed to Bosch in a coordinated manner by the external researcher Philip Kazmeier.

Affected Products

  • ProSyst mBS SDK < 8.2.6
    • CVE-2019-11601
    • CVE-2019-11897
    • CVE-2019-11602
    • CVE-2019-11603
  • Bosch IoT Gateway Software < 9.0.2
    • CVE-2019-11603
  • Bosch IoT Gateway Software < 9.2.0
    • CVE-2019-11601
    • CVE-2019-11602
  • Bosch IoT Gateway Software < 9.3.0
    • CVE-2019-11897

Solution

Software Update

The recommended approach is to update ProSyst mBS SDK and/or Bosch IoT Gateway Software to a fixed version, that is, 8.2.6 and 9.3.0 respectively.

Mitigations and Workarounds

In cases where an update is not possible, the following mitigations and workarounds are recommended.

Disable backup and restore functionality

CVE-2019-11601, CVE-2019-11602, CVE-2019-11897 can be mitigated by disabling the remote backup and restore functionality.

Adapt mbs.http.pid configuration to effectively disable the corresponding functionality

CVE-2019-11603 can be mitigated by setting the values of the properties “rootdiralias” and “rootdirresource” to an empty string in the “mbs.http.pid” configuration. Then the vulnerability would not be reachable, since the related component would not be activated. The only side effect would be a warning log entry about the failure.

Firewalling

It is advised that devices running the ProSyst mBS SDK and Bosch IoT Gateway Software should not be exposed directly to the internet or other insecure networks. This includes port-forwarding, which would not protect the device adequately.

Vulnerability Details

CVE-2019-11601 (Backup/Restore)

A directory traversal vulnerability in remote access to backup & restore in earlier version than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.

CVE-2019-11897 (Backup/Restore)

A Server-Side Request Forgery (SSRF) vulnerability in the backup & restore functionality in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.3.0 allows a remote attacker to forge GET requests to arbitrary URLs. In addition, this could potentially allow an attacker to read sensitive zip files from the local server.

CVE-2019-11602 (Backup/Restore)

Leakage of stack traces in remote access to backup & restore in earlier version than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.

CVE-2019-11603 (Backup/Restore)

A HTTP Traversal Attack in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.0.2 allows remote attackers to read files outside the http root.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] Bosch IoT Gateway Software Release Notes
[2] ProSyst mBS SDK Release Notes
[3] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

16 Mar 2020: Remove environmental metrics, update advisory description for CVE-2019-11603 to include mBS SDK.
19 Aug 2019: Initial Publication