Advisory Information

• Advisory ID: BOSCH-2018-1203
• CVE Number: CVE-2018-20299
• Published: 18 Dec 2018
• Last Updated: 20 Dec 2018
• CVSSv3 Scores:
  • CWE-120 : Buffer Copy without Checking Size of Input
    • CVSS 3.0 Base Score: 9.4, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
    • CVSS 3.0 Environmental Score: 8.3, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H/MAV:A

Summary

A recently discovered security vulnerability affects both the Bosch Smart Home 360°[1] indoor as well as the Eyes outdoor cameras[2]. It potentially allows the unauthorized execution of code on the device via the network interface. Bosch Smart Home rates this vulnerability at an Enviromental score of 8.3 (High) and recommends customers to upgrade devices with updated firmware versions.

As of 2018-12-05, updated firmware files are available and offered to all customers via the existing update mechanism in the Bosch Smart Home camera app.

As of 2018-12-17, there is currently no indication that the exploitation code is either publicly known or utilized.

The CVSS 3.0 Environmental score represents a vulnerability score computed for a specific context. Since Bosch Smart Home Cameras are generally installed in a private LAN, this Advisory gives an additional Score aimed at that context.

Affected Products

• 360° Indoor Camera < 6.52.4
• Eyes Outdoor Camera < 6.52.4

Solution

The recommended approach is to update the firmware of all Bosch Smart Home cameras to a fixed version, that is, 6.52.4 or higher. Updated firmware files are available and offered to all customers via the existing update mechanism in the Bosch Smart Home camera app.

Mitigations and Workarounds

Firewalling (Network)

It is advised that the devices should not be exposed directly to the internet or other insecure networks. This includes port-forwarding, which would not protect devices adequately. Firewalling a device significantly reduces its attack surface.

Vulnerability Details

This vulnerability is classified as ‘buffer overflow’, located in the RCP+ parser of the webserver. It is accordingly ranked as “CWE-120: Buffer Copy without Checking Size of Input”. The parser fix utilizes additional input and target-buffers checks.

The vulnerability can be used to remotely execute code on the device (RCE). This would enable a potential attacker, for example, to bypass access restrictions (e.g. username / password) or to reactivate disabled features (e.g. telnet). A necessary prerequisite for this attack is the network access to the webserver (HTTP / HTTPS) of the device. Despite its high rating, possible attacks are considered incapable of accessing private keys if they are stored on the devices’ Trusted Platform Module (TPM). An affected camera can be restored to its original state by the factory reset button.

Acknowledgement

The vulnerability was discovered and disclosed to Bosch in a coordinated manner by the external researcher, VDOO.

Additional Resources

1. 360° Indoor Camera
2. Eyes Outdoor Camera
3. Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

18 Dec 2018: Initial Publication