Advisory Information

Summary

Recently discovered security vulnerabilities affect the Bosch Smart Home Controller (SHC, “the device”). They potentially allow to obtain elevated privileges, read and write data and perform a denial of service on the device via the network interface. Bosch Smart Home rates these vulnerabilities with CVSSv3 environmental scores from 3.0 (Low) to 7.6 (High), where the actual rating depends on the individual vulnerability, and recommends customers to install updated firmware versions on all devices.

As of May 22nd, 2019, an updated firmware file is available and offered to all customers via the existing update mechanism. A previously available update already covered all vulnerabilities in this advisory except CVE-2019-11896.

As of May 29th, 2019, there is currently no indication that exploitation code is either publicly known or utilized.

The vulnerabilities were discovered and disclosed to Bosch in a coordinated manner by the external researcher Philip Kazmeier.

Affected Products

  • Bosch Smart Home Controller < 9.8.905 for all listed vulnerabilities except CVE-2019-11896
  • Bosch Smart Home Controller < 9.8.907 for CVE-2019-11896

Solution

Firmware Update (Device)

The recommended approach is to update the firmware of all Bosch Smart Home Controllers to a fixed version, that is, 9.8.907 or higher. Version 9.8.905, available since April 17th, 2019, already covered all vulnerabilities in this advisory except CVE-2019-11896.

Mitigations and Workarounds

Firewalling (Network)

It is advised that the device should not be exposed directly to the internet or other insecure networks. This includes port-forwarding, which would not protect the device adequately.

Vulnerability Details

CVE-2019-11891 (App Pairing)

This vulnerability is classified as ‘CWE-266: Incorrect Privilege Assignment’, located in the app pairing mechanism. The fix ensures proper privilege assignment.

Impact: The vulnerability may result in elevated role privileges of the adversary’s choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack in order to press the button to trigger the pairing sequence. Furthermore, the pairing endpoint is only accessible from the local area network (LAN).

CVE-2019-11896 (App Pairing)

This vulnerability is classified as ‘CWE-266: Incorrect Privilege Assignment’, located in the 3rd party app pairing mechanism. The fix ensures proper access controls.

Impact: The vulnerability may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to obtain the credentials of a previously paired restricted app prior to the attack, which requires user interaction.

CVE-2019-11893 (App Pairing)

This vulnerability is classified as ‘CWE-266: Incorrect Privilege Assignment’, located in the app permission update mechanism. The fix ensures proper access controls.

Impact: The vulnerability may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to obtain the credentials of a previously paired restricted app prior to the attack, which requires user interaction.

CVE-2019-11892 (JSON-RPC)

This vulnerability is classified as ‘CWE-284: Improper Access Control’, located in the JSON-RPC interface. The fix ensures proper access controls.

Impact: The vulnerability may result in reading or modification of the SHC’s configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary needs to obtain the credentials of a previously paired app prior to the attack, which requires user interaction.

CVE-2019-11895 (JSON-RPC)

This vulnerability is classified as ‘CWE-284: Improper Access Control’, located in configuration endpoint of the JSON-RPC interface. The fix ensures proper access controls.

Impact: The vulnerability may result in a denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to obtain the credentials of a previously paired app prior to the attack, which requires user interaction.

CVE-2019-11601 (Backup/Restore)

This vulnerability is classified as ‘CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)’, located in the backup/restore mechanism provided by the ProSyst mBS SDK. The fix disables the backup/restore mechanism.

Impact: The vulnerability may result in overwriting and/or deletion of files in the SHC’s file system with limited privileges. In order to exploit the vulnerability, the adversary needs to obtain the credentials of a previously paired app prior to the attack, which requires user interaction.

CVE-2019-11894 (Backup/Restore)

This vulnerability is classified as ‘CWE-284: Improper Access Control’, located in the download component of the backup/restore mechanism. The fix disables the backup/restore mechanism.

Impact: The vulnerability may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed, which requires user interaction.

CVE-2019-11897 (Backup/Restore)

This vulnerability is classified as ‘CWE-918: Server-Side Request Forgery (SSRF)’, located in the backup/restore mechanism provided by the ProSyst mBS SDK. The fix disables the backup/restore mechanism.

Impact: The vulnerability may result in obtaining data from SHC-internal servers via a HTTP GET request. In order to exploit the vulnerability, the adversary needs to obtain the credentials of a previously paired app prior to the attack, which requires user interaction.

CVE-2019-11602 (Backup/Restore)

This vulnerability is classified as ‘CWE-209: Information Exposure Through an Error Message’, located in the backup/restore mechanism provided by the ProSyst mBS SDK. The fix disables the backup/restore mechanism.

Impact: The vulnerability may result in leakage of stack traces caused by exceptions during backup or restore and may therefore be used to obtain internal information that might be beneficial during the execution of unrelated attacks. In order to exploit the vulnerability, the adversary needs to obtain the credentials of a previously paired app prior to the attack, which requires user interaction.

CVE-2019-11603 (Backup/Restore)

This vulnerability has no impact on the SHC and given here for completeness with respect to the originally reported vulnerabilities only.

This vulnerability is classified as ‘CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)’, located in a library function of the backup/restore mechanism provided by the ProSyst mBS SDK.

Impact: The vulnerability has no impact at all as the library function at hand is not used in the SHC.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

29 May 2019: Initial Publication