Unrestricted SSH port forwarding in BVMS
BOSCH-SA-025794-BT
Advisory Information
- Advisory ID: BOSCH-SA-025794-BT
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2023-28175
- Base Score: 7.1 (High)
- CVE-2023-28175
- Published: 24 May 2023
- Last Updated: 24 May 2023
Summary
The Bosch Video Management System is using SSH server that does not restrict a port forwarding requested by an authenticated SSH client. An authenticated SSH client can request a connection which is forwarded by the BVMS SSH server to a resource within the trusted internal network, which is normally protected from the WAN interface. The resource can be beyond the scope of the Bosch Video Management System.
Affected Products
- Bosch BVMS
- CVE-2023-28175
- Version(s): 7.5 - 11.1.1 (including)
- CVE-2023-28175
- Bosch BVMS Viewer
- CVE-2023-28175
- Version(s): 7.5 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP 3000
- CVE-2023-28175
- Version(s): 7.5 - 8.0 (including)
- CVE-2023-28175
- Bosch DIVAR IP 7000 R1
- CVE-2023-28175
- Version(s): 7.5 - 8.0 (including)
- CVE-2023-28175
- Bosch DIVAR IP 7000 R2
- CVE-2023-28175
- Version(s): 7.5 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 5000
- CVE-2023-28175
- Version(s): 9.0 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 7000
- CVE-2023-28175
- Version(s): 9.0 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 7000 R3
- CVE-2023-28175
- Version(s): 10.1.1 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 4000
- CVE-2023-28175
- Version(s): 11.1.1
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 6000
- CVE-2023-28175
- Version(s): 11.1.1
- CVE-2023-28175
Solution and Mitigations
Software Updates
The recommended approach is to update the software to a fixed version as soon as possible. Please check the Appendix for a list of updated versions for each affected product.
Secure Network Resources
It is advised to secure network infrastructure to prevent the BVMS SSH server from accessing resources that do not belong to the BVMS system. Network administrators should implement the following recommendations in conjunction with laws, regulations, and industry best practices:
-
Segment and segregate networks.
-
Harden BVMS SSH host by turning off unnecessary services.
-
Monitor the network and review logs.
-
Validate hardware integrity.
Vulnerability Details
CVE-2023-28175
CVE description: Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
- Base Score: 7.1 (High)
Remarks
Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] BVMS Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMS
- [2] BVMS Viewer Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMSVWR
- [3] BVMS Appliances (DIVAR IP) Download Area: https://downloadstore.boschsecurity.com/?type=DIPBVMS
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 24 May 2023: Initial Publication
Appendix
Fixes for the Affected Products
BVMS
| Affected versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
|
|
11.1.0
|
Upgrade to 11.1.1 and apply patch
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip |
|
11.0
|
BVMS11001025_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
|
BVMS Viewer
| Affected versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_VWR_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
|
|
11.1.0
|
Upgrade to 11.1.1 and apply patch
BVMS111165_VWR_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip |
|
11.0
|
BVMS11001025_VWR_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
|
Bosch DIVAR IP all-in-one 7000 R3
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
DIP-73_Installer_for_BVMS11.1.1_MR1.zip or
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip |
|
11.0
|
DIP-73_Installer_for_BVMS11.0_MR2.zip
|
Bosch DIVAR IP 7000 R2
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
|
|
11.0
|
BVMS11001025_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
|
Bosch DIVAR IP all-in-one 5000
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
|
|
11.0
|
BVMS11001025_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
|
Bosch DIVAR IP all-in-one 7000
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
|
|
11.0
|
BVMS11001025_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
|
DIVAR IP all-in-one 4000
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip |
DIVAR IP all-in-one 6000
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip |
Material Lists
BVMS
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
BVMS Professional 11.1.1
|
MBV-BPRO
|
F.01U.393.647
|
License Professional base
|
|
BVMS Plus 11.1.1
|
MBV-BPLU
|
F.01U.393.650
|
License Plus base
|
|
BVMS Plus 11.1.1 DIP
|
MBV-BPLU-DIP
|
F.01U.374.503
|
License Plus base for DIVAR IP
|
|
BVMS Viewer 11.1.1
|
MBV-BVWR
|
F.01U.393.649
|
License Viewer base
|
|
BVMS Lite 11.1.1
|
MBV-BLIT
|
F.01U.393.648
|
License Lite base
|
|
BVMS Lite 11.1.1 DIP
|
MBV-BLIT-DIP
|
F.01U.358.975
|
License Lite base for DIVAR IP
|
|
BVMS Professional 11.1
|
MBV-BPRO
|
F.01U.393.647
|
License Professional base
|
|
BVMS Plus 11.1
|
MBV-BPLU
|
F.01U.393.650
|
License Plus base
|
|
BVMS Plus 11.1 DIP
|
MBV-BPLU-DIP
|
F.01U.374.503
|
License Plus base for DIVAR IP
|
|
BVMS Viewer 11.1
|
MBV-BVWR
|
F.01U.393.649
|
License Viewer base
|
|
BVMS Lite 11.1
|
MBV-BLIT
|
F.01U.393.648
|
License Lite base
|
|
BVMS Lite 11.1 DIP
|
MBV-BLIT-DIP
|
F.01U.358.975
|
License Lite base for DIVAR IP
|
|
BVMS Professional 11.0
|
MBV-BPRO
|
F.01U.393.647
|
License Professional base
|
|
BVMS Plus 11.0
|
MBV-BPLU
|
F.01U.393.650
|
License Plus base
|
|
BVMS Plus 11.0 DIP
|
MBV-BPLU-DIP
|
F.01U.374.503
|
License Plus base for DIVAR IP
|
|
BVMS Viewer 11.0
|
MBV-BVWR
|
F.01U.393.649
|
License Viewer base
|
|
BVMS Lite 11.0
|
MBV-BLIT
|
F.01U.393.648
|
License Lite base
|
|
BVMS Lite 11.0 DIP
|
MBV-BLIT-DIP
|
F.01U.358.975
|
License Lite base for DIVAR IP
|
Bosch DIVAR IP 7000 R2
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP 7000 R2
|
DIP-7180-00N
|
F.01U.314.520
|
DIVAR IP 7000 2U w/o HDD
|
|
DIVAR IP 7000 R2
|
DIP-7183-4HD
|
F.01U.314.521
|
DIVAR IP 7000 2U 4x3TB
|
|
DIVAR IP 7000 R2
|
DIP-7183-8HD
|
F.01U.314.522
|
DIVAR IP 7000 2U 8x3TB
|
|
DIVAR IP 7000 R2
|
DIP-7184-4HD
|
F.01U.314.523
|
DIVAR IP 7000 2U 4x4TB
|
|
DIVAR IP 7000 R2
|
DIP-7184-8HD
|
F.01U.314.524
|
DIVAR IP 7000 2U 8x4TB
|
|
DIVAR IP 7000 R2
|
DIP-71F0-00N
|
F.01U.314.525
|
DIVAR IP 7000 3U w/o HDD
|
|
DIVAR IP 7000 R2
|
DIP-71F3-16HD
|
F.01U.314.526
|
DIVAR IP 7000 3U 16x3TB
|
|
DIVAR IP 7000 R2
|
DIP-71F4-16HD
|
F.01U.314.527
|
DIVAR IP 7000 3U 16x4TB
|
|
DIVAR IP 7000 R2
|
DIP-7186-8HD
|
F.01U.329.143
|
DIVAR IP 7000 2U 8x6TB
|
|
DIVAR IP 7000 R2
|
DIP-7188-8HD
|
F.01U.329.144
|
DIVAR IP 7000 2U 8x8TB
|
|
DIVAR IP 7000 R2
|
DIP-71F6-16HD
|
F.01U.329.145
|
DIVAR IP 7000 3U 16x6TB
|
|
DIVAR IP 7000 R2
|
DIP-71F8-16HD
|
F.01U.329.146
|
DIVAR IP 7000 3U 16x8TB
|
|
DIVAR IP 7000 R2
|
DIP-7184-8HD-WAG
|
F.01U.343.277
|
DIVAR IP 7000 2U 8x4TB, WAG Kit
|
Bosch DIVAR IP all-in-one 5000
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 5000
|
DIP-5240IG-00N
|
F.01U.361.821
|
Management Appliance w/o HDD
|
|
DIVAR IP all-in-one 5000
|
DIP-5244IG-4HD
|
F.01U.362.424
|
Management Appliance 4x4TB
|
|
DIVAR IP all-in-one 5000
|
DIP-5248IG-4HD
|
F.01U.362.423
|
Management Appliance 4x8TB
|
|
DIVAR IP all-in-one 5000
|
DIP-524CIG-4HD
|
F.01U.362.422
|
Management Appliance 4x12TB
|
|
DIVAR IP all-in-one 5000
|
DIP-5240GP-00N
|
F.01U.359.551
|
Management Appliance GPU wo HD
|
|
DIVAR IP all-in-one 5000
|
DIP-5244GP-4HD
|
F.01U.359.552
|
Management Appliance GPU 4x4TB
|
|
DIVAR IP all-in-one 5000
|
DIP-5248GP-4HD
|
F.01U.359.553
|
Management Appliance GPU 4x8TB
|
|
DIVAR IP all-in-one 5000
|
DIP-524CGP-4HD
|
F.01U.359.554
|
Management Appliance GPU 4x12TB
|
Bosch DIVAR IP all-in-one 7000
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 7000
|
DIP-7280-00N
|
F.01U.362.591
|
2U Management Appliance w/o HD
|
|
DIVAR IP all-in-one 7000
|
DIP-7284-8HD
|
F.01U.362.592
|
2U Management Appliance 8x4TB
|
|
DIVAR IP all-in-one 7000
|
DIP-7288-8HD
|
F.01U.362.593
|
2U Management Appliance 8x8TB
|
|
DIVAR IP all-in-one 7000
|
DIP-728C-8HD
|
F.01U.362.594
|
2U Management Appliance 8x12TB
|
|
DIVAR IP all-in-one 7000
|
DIP-72G0-00N
|
F.01U.362.595
|
3U Management Appliance wo HDD
|
|
DIVAR IP all-in-one 7000
|
DIP-72G8-16HD
|
F.01U.362.596
|
3U Management Appliance 16x8TB
|
|
DIVAR IP all-in-one 7000
|
DIP-72GC-16HD
|
F.01U.362.597
|
3U Management Appliance 16x12T
|
DIVAR IP all-in-one 7000 R3
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 7000
|
DIP-7380-00N
|
F.01U.385.539
|
Management appliance 2U without HD
|
|
DIVAR IP all-in-one 7000
|
DIP-7384-8HD
|
F.01U.385.540
|
Management appliance 2U 8X4TB
|
|
DIVAR IP all-in-one 7000
|
DIP-7388-8HD
|
F.01U.385.541
|
Management appliance 2U 8X8 TB
|
|
DIVAR IP all-in-one 7000
|
DIP-738C-8HD
|
F.01U.385.542
|
Management appliance 2U 8X12 TB
|
|
DIVAR IP all-in-one 7000
|
DIP-73G0-00N
|
F.01U.385.543
|
Management appliance 3U without HD
|
|
DIVAR IP all-in-one 7000
|
DIP-73G8-16HD
|
F.01U.385.544
|
Management appliance 3U 16X8TB
|
|
DIVAR IP all-in-one 7000
|
DIP-73GC-16HD
|
F.01U.385.545
|
Management appliance 3U 16X12 TB
|
DIVAR IP all-in-one 4000
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 4000
|
DIP-4420IG-00N
|
F.01U.404.040
|
Management appliance w/o HDD
|
|
DIVAR IP all-in-one 4000
|
DIP-4424IG-2HD
|
F.01U.404.041
|
Management appliance 2x4TB
|
|
DIVAR IP all-in-one 4000
|
DIP-4428IG-2HD
|
F.01U.404.042
|
Management appliance 2x8TB
|
|
DIVAR IP all-in-one 4000
|
DIP-442IIG-2HD
|
F.01U.404.043
|
Management appliance 2x18TB
|
DIVAR IP all-in-one 6000
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 6000
|
DIP-6440IG-00N
|
F.01U.404.045
|
Management appliance 1U w/o HDD
|
|
DIVAR IP all-in-one 6000
|
DIP-6444IG-4HD
|
F.01U.404.046
|
Management appliance 1U 4x4TB
|
|
DIVAR IP all-in-one 6000
|
DIP-6448IG-4HD
|
F.01U.404.047
|
Management appliance 1U 4x8TB
|
|
DIVAR IP all-in-one 6000
|
DIP-644IIG-4HD
|
F.01U.404.048
|
Management appliance 1U 4x18TB
|