Path Traversal in Bosch Video Management System
BOSCH-SA-381489-BT
Advisory Information
- Advisory ID: BOSCH-SA-381489-BT
-
CVE Numbers and Scores:
-
CVE-2020-6767
- Base Score: 7.7 (High)
-
CVE-2020-6767
- Published: 29 Jan 2020
- Last Updated: 11 Feb 2020
Summary
A path traversal vulnerability exists in the BVMS. An authenticated BVMS user can successfully request and fetch arbitrary files from the Central Server machine using the FileTransferService. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 7.7 (High) and strongly recommends customers to update vulnerable components with fixed software versions.
The vulnerability was discovered during internal product tests.
Affected Products
- Bosch BVMS Viewer <= 7.5
- Bosch BVMS Viewer <= 8.0.0.329 with configuration: ‘patch for security issue 211404, 241463 not installed’
- Bosch BVMS Viewer <= 9.0.0.827 with configuration: ‘patch for security issue 211404, 241463 not installed’
- Bosch BVMS Viewer <= 10.0.0.1225 with configuration: ‘patch for security issue 211404, 241463 not installed’
- Bosch Video Management System <= 7.5
- Bosch Video Management System <= 8.0.0.329 with configuration: ‘patch for security issue 211404, 241463 not installed’
- Bosch Video Management System <= 9.0.0.827 with configuration: ‘patch for security issue 211404, 241463 not installed’
- Bosch Video Management System <= 10.0.0.1225 with configuration: ‘patch for security issue 211404, 241463 not installed’
- Bosch DIVAR IP 3000 with configuration: ‘vulnerable BVMS version installed’
- Bosch DIVAR IP 7000 with configuration: ‘vulnerable BVMS version installed’
- Bosch DIVAR IP all-in-one 5000 with configuration: ‘vulnerable BVMS version installed’
Solution and Mitigations
Software Updates
The recommended approach is to patch the software of affected Bosch products (see [1] ).
Firewalling (Network)
It is advised that the devices should not be exposed directly to the internet or other insecure networks.
Vulnerability Details
CVE-2020-6767
Attacks can be performed over the network, no physical access is required. The attack complexity is low, a potential attacker does not need to possess any specific knowledge or any specific controlled conditions within the target environment. Successful attacks can be performed after providing any BVMS user credentials to the target system and without end user interaction.
The vulnerable component is the BVMS service. An impacted component is the entire file system of the server operating system, where the BVMS server is running.
Successful attacks have critical confidentiality impacts.
- Problem Type:
-
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- Base Score: 7.7 (High)
Remark
Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] Appendix: Affected Products - Software, Hardware and Fixed Versions: https://psirt.bosch.com/security-advisories/BOSCH-SA-381489-BT.html#appendix
- [2] Bosch Building Technologies Security Advisory Page: https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html
- [3] BVMS Download Store: https://downloadstore.boschsecurity.com/index.php?type=BVMS
- [4] BVMS Viewer Download Store: https://downloadstore.boschsecurity.com/index.php?type=BVMSVWR
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 11 Feb 2020: Correct first listing of affected products after summary. DIVAR IP 3000 was missing.
- 29 Jan 2020: Initial Publication
Affected Hardware
DIVAR IP versions | Affected versions | Name of the patch to fix the vulnerability |
---|---|---|
DIVAR IP versions
DIVAR IP 3000
|
Affected versions
See BVMS
|
Name of the patch to fix the vulnerability
See BVMS
|
DIVAR IP versions
DIVAR IP 7000
|
Affected versions
See BVMS
|
Name of the patch to fix the vulnerability
See BVMS
|
DIVAR IP versions
DIVAR IP all-in-one 5000
|
Affected versions
See BVMS
|
Name of the patch to fix the vulnerability
See BVMS
|
Affected Software
BVMS versions | Affected versions | Name of the patch to fix the vulnerability |
---|---|---|
BVMS versions
10.0
|
Affected versions
10.0.0.1225
|
Name of the patch to fix the vulnerability
BVMS10001225_Patch_SecurityIssue_211404_241463.zip
|
BVMS versions
9.0
|
Affected versions
9.0.0.827
|
Name of the patch to fix the vulnerability
BVMS900827_Patch_SecurityIssue_211404_241463.zip
|
BVMS versions
8.0
|
Affected versions
8.0.0.329
|
Name of the patch to fix the vulnerability
BVMS800329_Patch_SecurityIssue_211404_241463.zip
|
BVMS versions
7.5 and older
|
Affected versions
|
Name of the patch to fix the vulnerability
Not provided (please upgrade BVMS to the latest version)
|
BVMS Viewer versions | Affected versions | Name of the patch to fix the vulnerability |
---|---|---|
BVMS Viewer versions
10.0
|
Affected versions
10.0.0.1225
|
Name of the patch to fix the vulnerability
BVMS10001225_VWR_Patch_SecurityIssue_211404_241463.zip
|
BVMS Viewer versions
9.0
|
Affected versions
9.0.0.827
|
Name of the patch to fix the vulnerability
BVMS900827_VWR_Patch_SecurityIssue_211404_241463.zip
|
BVMS Viewer versions
8.0
|
Affected versions
8.0.0.329
|
Name of the patch to fix the vulnerability
BVMS800329_VWR_Patch_SecurityIssue_211404_241463.zip
|
BVMS Viewer versions
7.5 and older
|
Affected versions
|
Name of the patch to fix the vulnerability
Not provided (please upgrade BVMS to the latest version)
|