Hard-coded Credentials in Access Professional Edition 3.7 downwards (CVE-2019-11898)

Advisory Information

Advisory ID: BOSCH-SA-710832-BT
CVE Numbers and Scores:
- CVE-2019-11898
  - Base Score: 9.9 (Critical)
Published: 11 Sep 2019
Last Updated: 11 Sep 2019

Summary

A recently discovered security vulnerability affects Access Professional Edition (APE) installations of versions 3.7 and downwards.

The vulnerability enables unauthorized access to sensitive data of the APE system. In cases where a software update is not possible, a reduction in the system’s network exposure is advised. Internet-accessible installations should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable systems. In addition, the SMB service should be properly configured to Microsoft’s latest security recommendations.

The vulnerability was discovered and disclosed to Bosch in a coordinated manner by the external researcher, Oleksii Orekhov.

Affected Products

Bosch Access Professional Edition <= 3.7
- CVE-2019-11898

Solution and Mitigations

Software Update

The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. A fixed APE version is available on the Bosch Product Catalog [1] .

Network Configuration

We advise a reduction of network exposure of the system. Systems that are accessible via the internet should be firewalled. The SMB service in Microsoft Windows should be properly configured to Microsoft’s latest security recommendations [2] .

Additional measures such as network isolation via VLAN, or the filtering of systems IP features and supplementary technology, are strongly advised.

Vulnerability Details

CVE-2019-11898

The vulnerability can be used to achieve unauthorized access to sensitive data of the APE system. This could enable a potential attacker to get unauthorized access to the site. Necessary prerequisite for this attack is access to the network of the APE server.

CVE description: Unauthorized APE administration privileges can be achieved by reverse engineering one of the APE service tools. The service tool is discontinued with APE 3.8.

Problem Type:
- CWE-798 Use of Hard-coded Credentials
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- CVSS 3.0 Base Score: 9.9 (Critical)

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] Software updates: Bosch Product Catalog - APE
[2] Microsoft: SMB security enhancements
[3] Bosch Building Technologies Security Advisory page
[4] (pdf) Secure Operation Concept
[5] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

11 Sep 2019: Initial Publication