Advisory Information

Summary

A recently discovered security vulnerability affects several Bosch IP cameras. It potentially allows the unauthorized execution of code on the device via the network interface. Bosch rates this vulnerability at 9.4 ( CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H , Critical) and recommends customers to upgrade devices with updated firmware versions.

As of 2018-12-11, updated firmware files are published on the Bosch Download Store ( link ). As of 2018-12-12, there is currently no indication that the exploitation code is either publicly known or utilized.

If a firmware update is not possible in a timely manner, a reduction in the devices’ network exposure is advised. Internet-accessible Bosch IP cameras should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable devices.

Affected Products

Common Product Platform 7.3 (CPP7.3) Fixed FW Version: 6.51.0028, 6.50.0133, 6.44.0027

  • AUTODOME IP 4000i
  • AUTODOME IP 5000i
  • AUTODOME IP starlight 5000i (IR)
  • AUTODOME IP starlight 7000i
  • DINION IP bullet 4000i
  • DINION IP bullet 5000i
  • DINION IP bullet 6000i
  • FLEXIDOME IP 4000i
  • FLEXIDOME IP 5000i
  • MIC IP starlight 7000i
  • MIC IP fusion 9000i

Common Product Platform 7 (CPP7) Fixed FW Version: 6.51.0028, 6.50.0133, 6.44.0027

  • DINION IP starlight 6000
  • DINION IP starlight 7000
  • FLEXIDOME IP starlight 6000
  • FLEXIDOME IP starlight 7000
  • DINION IP thermal 8000

Common Product Platform 6 (CPP6) Fixed FW Version: 6.51.0028, 6.50.0133, 6.44.0027

  • DINION IP starlight 8000 12MP
  • DINION IP ultra 8000 12MP
  • DINION IP ultra 8000 12MP with C/CS mount telephoto lens
  • FLEXIDOME IP panoramic 7000 12MP 180
  • FLEXIDOME IP panoramic 7000 12MP 360
  • FLEXIDOME IP panoramic 7000 12MP 180 IVA
  • FLEXIDOME IP panoramic 7000 12MP 360 IVA
  • AVIOTEC IP starlight 8000
  • FLEXIDOME IP panoramic 6000 12MP 180
  • FLEXIDOME IP panoramic 6000 12MP 360
  • FLEXIDOME IP panoramic 6000 12MP 180 IVA
  • FLEXIDOME IP panoramic 6000 12MP 360 IVA

Common Product Platform 4 (CPP4) Fixed FW Version: 6.51.0028, 6.50.0133, 6.44.0027

  • AUTODOME IP 4000 HD
  • AUTODOME IP 5000 HD
  • AUTODOME IP 5000 IR
  • AUTODOME IP 7000 series
  • DINION HD 1080p
  • DINION HD 1080p HDR
  • DINION HD 720p
  • DINION imager 9000 HD
  • DINION IP bullet 4000
  • DINION IP bullet 5000
  • DINION IP 4000 HD
  • DINION IP 5000 HD
  • DINION IP 5000 MP
  • DINION IP starlight 7000 HD
  • EXTEGRA IP dynamic 9000
  • EXTEGRA IP starlight 9000
  • FLEXIDOME corner 9000 MP
  • FLEXIDOME HD 1080p
  • FLEXIDOME HD 1080p HDR
  • FLEXIDOME HD 720p
  • Vandal-proof FLEXIDOME HD 1080p
  • Vandal-proof FLEXIDOME HD 1080p HDR
  • Vandal-proof FLEXIDOME HD 720p
  • FLEXIDOME IP panoramic 5000
  • FLEXIDOME IP indoor 5000 HD
  • FLEXIDOME IP indoor 5000 MP
  • FLEXIDOME IP indoor 4000 HD
  • FLEXIDOME IP indoor 4000 IR
  • FLEXIDOME IP outdoor 4000 HD
  • FLEXIDOME IP outdoor 4000 IR
  • FLEXIDOME IP micro 5000 HD
  • FLEXIDOME IP micro 5000 MP
  • FLEXIDOME IP outdoor 5000 HD
  • FLEXIDOME IP outdoor 5000 MP
  • FLEXIDOME IP micro 2000 HD
  • FLEXIDOME IP micro 2000 IP
  • IP bullet 4000 HD
  • IP bullet 5000 HD
  • IP micro 2000
  • IP micro 2000 HD
  • MIC IP dynamic 7000
  • MIC IP starlight 7000
  • TINYON IP 2000 family

Common Product Platform 4 (CPP4) Exclusive Versions Fixed FW Version: 6.32.0124

  • EXTEGRA IP dynamic 9000
  • EXTEGRA IP starlight 9000

Solution

Firmware Updates (Device)

The recommended approach is to update the firmware of affected Bosch IP cameras to a fixed version. If an update is not possible in a timely manner, the mitigation approaches Certificate Based Authentication, Firewalling, and IP Filtering can be utilized. A list of affected devices and fixed firmware versions is available in the section “Affected Products” of this document.

For the Bosch Video Management System (BVMS) the following fixed firmware versions are suggested:

BVMS CPP7.3 CPP7 CPP6 CPP4
7.0 6.44.0027 6.44.0027 6.44.0027 6.44.0027
7.5
8.0
9.0 6.51.0028 6.51.0028 6.51.0028 6.51.0028


Certificate Based Authentication (Device)

Starting with Release 6.40.0240, the “unauthenticated” aspect of the vulnerability can be mitigated to “authenticated” by enabling certificate-based authentication, then executing additional hardening steps. After an initial certificate authentication setup, additional hardening is mandatory for secure operation: Disable port 80, disable HSTS-redirect, and disable password authentication. This enforces the webserver to demand a valid client-certificate during the initial TLS-Handshake.

Firewalling (Network)

It is also advised that the devices should not be exposed directly to the Internet or other insecure networks. This includes port-forwarding, which would not protect devices adequately. Firewalling a device significantly reduces its attack surface.

IP Filtering (Device)

As an additional supporting measure in shared environments, a devices’ internal IP filter can be activated. This allows the device to whitelist IPs and IP-ranges. IPs not included in these ranges cannot connect, and therefore not exploit this vulnerability.

Vulnerability Details

This vulnerability is classified as a “buffer overflow”, located in the RCP+ parser of the webserver. It is accordingly ranked as “CWE-120: Buffer Copy without Checking Size of Input”. The parser fix utilizes additional input and target-buffers checks. The vulnerability resides in the firmware since version 6.32. Prior firmware versions are considered unaffected.

The vulnerability can be used to remotely execute code on the device (RCE). This would enable a potential attacker, for example, to bypass access restrictions (e.g. username / password) or to reactivate disabled features (e.g. telnet). A necessary prerequisite for this attack is the network access to the webserver (HTTP / HTTPS) of the device. Despite its critical rating, possible attacks are considered incapable of accessing private keys if they are stored on the devices’ Trusted Platform Module (TPM). An affected camera can be restored to its original state by the factory reset button.

Vulnerability classification has been performed using the CVSSv3 scoring system (http://www.first.org/cvss/) . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Acknowledgement

The vulnerability was discovered and disclosed to Bosch in a coordinated manner by the external researcher, VDOO.

Additional Resources

  1. Firmware Updates
  2. (pdf) Hardening Guide
  3. (pdf) Bosch BT Security Advisory
  4. BVMS Compatibility Overview
  5. Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

12 Dec 2018: Initial Publication
14 Feb 2019: Fixed firmware version: 6.32.0124 added