Bosch PSIRT

Multiple Vulnerabilities in Bosch Recording Station (BRS)

BOSCH-SA-363824-BT

Advisory Information

Summary

Several issues have been discovered affecting the Bosch Recording Station (BRS). The critical issues apply to BRS systems which are connected to an open network.

Bosch strongly recommends to operate the BRS system in a closed network and prevent unauthorized direct access to the BRS server.

The product was announced end of life in 2016.

Affected Products

  • Bosch Recording Station

Solution and Mitigations

Restricted Physical Access

The hardware access to the system should be heavily restricted and be locked for public.

Limited User Exposure

The application usage itself should be limited to a trusted user environment and the system logs need to be checked regularly.

Closed Network

Bosch strongly recommends to operate the BRS in a closed network with very limited access to the system. The services SMB and RDP should be deactivated to mitigate the risk for vulnerabilities CVE-2017-0144 and CVE-2019-0708.

Upgrade hardware

Customers who want to operate their appliance in an open network are strongly advised to update their BRS to the DIVAR IP all-in-one 5000.

Vulnerability Details

CVE-2017-0144

The Bosch Recording Station is affected by the “EternalBlue” vulnerability due to the usage of Windows 7.

CVE description: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.” This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

CVE-2019-0708

The Bosch Recording Station is affected by the “BlueKeep” vulnerability due to the usage of Windows 7.

CVE description: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.

CVE-2020-6774

CVE description: Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.

Lack of Full Disk Encryption

The Bosch Recording Station does not support Full Disk Encryption. An attacker with physical access to the system could physically remove the system drive and read and modify contents of the file system.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 27 May 2020: Initial Publication

Appendix

Material List: Bosch Recording Station

Family Name CTN SAP# Material description
Bosch Recording Station
BRS-TOW-1100A
F.01U.246.997
BRS Tower 1TB
Bosch Recording Station
BRS-TOW-4100A
F.01U.246.998
BRS Tower 4TB
Bosch Recording Station
BRS-RAC1-4100A
F.01U.246.999
BRS 1U 19" Rack-mount 4TB
Bosch Recording Station
BRS-RAC2-8100A
F.01U.247.000
BRS 2U 19" Rack-mount 8TB
Bosch Recording Station
BRS-RAC2-8200A
F.01U.247.002
BRS 2U 19" Rack-mount 16TB