Advisory Information
- Advisory ID: BOSCH-2019-0404-BT
- CVE Number: CVE-2019-6958
- Published: 03 Apr 2019
- Last Updated: 03 Apr 2019
-
CVSSv3 Scores:
-
CWE-284
: Improper Access Control
- CVSS 3.0 Base Score: 9.8, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSS 3.0 Environmental Score in closed networks: 8.8, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAV:A
-
CWE-284
: Improper Access Control
Summary
A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The exact list of affected software versions is available in appendix A of the BT advisory [1] .
The vulnerability allows unauthorized read and write access data to the system by injection of RCP+ commands.
In cases where a software update is not possible, a reduction in the system’s network exposure is advised. Internet-accessible installations should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable systems. In addition the firewall on the hosts shall be activated and set according to BVMS and BIS configuration manual. See section “Firewall on host” in “Mitigations and Workaround”.
Affected Products
For a detailled list of affected products and fixed software versions, please see [1] .
-
Bosch Video Management Systems (BVMS):
- BVMS 6.0
- BVMS 6.5
- BVMS 7.0
- BVMS 7.5
- BVMS 8.0
- BVMS 9.0
-
DIVAR IP products:
- DIP 2000 / 5000
- DIP 3000
- DIP 7000 Gen1
- DIP 7000 Gen2
-
Other software:
- Configuration Manager
- Video SDK (VSDK)
- Bosch Video Client (BVC)
-
Building Integration System (BIS):
- BIS 2.2 to 4.4
- BIS 4.5, 4.6 and 4.6.1
-
Access Professional Edition (APE):
- all versions < 3.0
- APE 3.0 to APE 3.7 (only affected if Third-Party component VSDK is installed; see Control Panel\Programs\Programs and Features\Bosch VideoSDKxx.xx.xxxx)
-
Access Easy Controller (AEC):
- all versions < 2.1.8.5
- 2.1.8.5
- 2.1.9.0
- 2.1.9.1
- 2.1.9.3
Solution
Software Updates
The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. A list of affected software versions is available in appendix A of the BT security advisory [1] . Patch and installation procedure for the latest BIS versions is available on the Bosch Download Area [2] .
Mitigations and Workarounds
In case the referenced software patches cannot be applied, e.g. for BVMS versions 7.0 and earlier, before updating to the latest version, the following measures could mitigate the associated risk.
Firewalling (network)
It is advised that the system should not be exposed directly to the internet or other insecure networks. This includes portforwarding, which would not protect systems adequately. Firewalling a device significantly reduces its attack surface. Disable IP-port forwards on the external / internet router for the following services: Video Recording Manager (VRM), Video Streaming Gateway (VSG) and Mobile Video Service (MVS). SSH can still be used. (SSH: Secure Shell, a secure communication protocol enabling encryption and mutual authentication.)
Firewall on host
For BVMS, DIVAR IP, BIS, APE, AEC and BIS:
- Block port: 40080 TCP
Firewalling should be applied to limit the communication to known devices. In general we recommend to open required ports only. Configure BVMS according the following guidelines. (see configuration manual):
- https://resource.boschsecurity.com/documents/BVMS_9.0_Configuration_Manual_enUS_63356961291.pdf
- https://resource.boschsecurity.com/documents/BVMS_8.0_Configuration_Manual_enUS_35168523659.pdf
- https://resource.boschsecurity.com/documents/BoschVMS_Configuration_Manual_enUS_28154357131.pdf
Building Integration System (BIS) without Video Engine
BIS installations without Video Engine are not affected. In case Video Engine (VSDK) was installed earlier and is not needed any more, e.g. BVMS is used instead of Video Engine, uninstall VSDK from BIS Client and delete Video Engine folder from BIS Server: C:\Mgts\ClientDeploy\Packages\Video_Engine
Vulnerability Details
This vulnerability is classified as ‘Improper Access Control’. The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as “CWE-284: Improper Access Control.”
-
CWE-284
: Improper Access Control
- CVSS 3.0 Base Score: 9.8, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSS 3.0 Environmental Score in closed networks: 8.8, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAV:A
This vulnerability, for example, allows a potential attacker to delete video or read video data.
Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
[1]
(pdf)
Bosch BT Security Advisory
[2]
Software updates: Bosch Download Area
[3]
Bosch Building Technologies Security Advisory page
[4]
(pdf)
Hardening Guide
[5]
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at:
psirt@bosch.com
.
Revision History
03 Apr 2019: Initial Publication