Skip to main

Path Traversal in Bosch Video Management System

BOSCH-SA-381489-BT

Advisory Information

  • Advisory ID: BOSCH-SA-381489-BT
  • CVE Numbers and Scores:
  • Published: 29 Jan 2020
  • Last Updated: 11 Feb 2020

Summary

A path traversal vulnerability exists in the BVMS. An authenticated BVMS user can successfully request and fetch arbitrary files from the Central Server machine using the FileTransferService. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 7.7 (High) and strongly recommends customers to update vulnerable components with fixed software versions.

The vulnerability was discovered during internal product tests.

Affected Products

  • Bosch BVMS Viewer <= 7.5
  • Bosch BVMS Viewer <= 8.0.0.329 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch BVMS Viewer <= 9.0.0.827 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch BVMS Viewer <= 10.0.0.1225 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch Video Management System <= 7.5
  • Bosch Video Management System <= 8.0.0.329 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch Video Management System <= 9.0.0.827 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch Video Management System <= 10.0.0.1225 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch DIVAR IP 3000 with configuration: ‘vulnerable BVMS version installed’
  • Bosch DIVAR IP 7000 with configuration: ‘vulnerable BVMS version installed’
  • Bosch DIVAR IP all-in-one 5000 with configuration: ‘vulnerable BVMS version installed’

Solution and Mitigations

Software Updates

The recommended approach is to patch the software of affected Bosch products (see [1] ).

Firewalling (Network)

It is advised that the devices should not be exposed directly to the internet or other insecure networks.

Vulnerability Details

CVE-2020-6767

Attacks can be performed over the network, no physical access is required. The attack complexity is low, a potential attacker does not need to possess any specific knowledge or any specific controlled conditions within the target environment. Successful attacks can be performed after providing any BVMS user credentials to the target system and without end user interaction.

The vulnerable component is the BVMS service. An impacted component is the entire file system of the server operating system, where the BVMS server is running.

Successful attacks have critical confidentiality impacts.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 11 Feb 2020: Correct first listing of affected products after summary. DIVAR IP 3000 was missing.
  • 29 Jan 2020: Initial Publication

Affected Hardware

DIVAR IP versions Affected versions Name of the patch to fix the vulnerability
DIVAR IP versions
DIVAR IP 3000
Affected versions
See BVMS
Name of the patch to fix the vulnerability
See BVMS
DIVAR IP versions
DIVAR IP 7000
Affected versions
See BVMS
Name of the patch to fix the vulnerability
See BVMS
DIVAR IP versions
DIVAR IP all-in-one 5000
Affected versions
See BVMS
Name of the patch to fix the vulnerability
See BVMS

Affected Software

BVMS versions Affected versions Name of the patch to fix the vulnerability
BVMS versions
10.0
Affected versions
10.0.0.1225
Name of the patch to fix the vulnerability
BVMS10001225_Patch_SecurityIssue_211404_241463.zip
BVMS versions
9.0
Affected versions
9.0.0.827
Name of the patch to fix the vulnerability
BVMS900827_Patch_SecurityIssue_211404_241463.zip
BVMS versions
8.0
Affected versions
8.0.0.329
Name of the patch to fix the vulnerability
BVMS800329_Patch_SecurityIssue_211404_241463.zip
BVMS versions
7.5 and older
Affected versions
Name of the patch to fix the vulnerability
Not provided (please upgrade BVMS to the latest version)
BVMS
BVMS Viewer versions Affected versions Name of the patch to fix the vulnerability
BVMS Viewer versions
10.0
Affected versions
10.0.0.1225
Name of the patch to fix the vulnerability
BVMS10001225_VWR_Patch_SecurityIssue_211404_241463.zip
BVMS Viewer versions
9.0
Affected versions
9.0.0.827
Name of the patch to fix the vulnerability
BVMS900827_VWR_Patch_SecurityIssue_211404_241463.zip
BVMS Viewer versions
8.0
Affected versions
8.0.0.329
Name of the patch to fix the vulnerability
BVMS800329_VWR_Patch_SecurityIssue_211404_241463.zip
BVMS Viewer versions
7.5 and older
Affected versions
Name of the patch to fix the vulnerability
Not provided (please upgrade BVMS to the latest version)
BVMS Viewer