Remote code execution vulnerability has been found over an insecure connection in the Praesensa Logging Application, Praesideo Logging Application and Praesideo PC Call Station

Advisory Information

• Advisory ID: BOSCH-SA-106054-BT
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2024-25104
    • Base Score: 9.8 (Critical)
  • CVE-2024-25105
    • Base Score: 8.1 (High)
• Published: 15 May 2024
• Last Updated: 15 May 2024

Summary

A remote code execution vulnerability has been found over an insecure connection in the Praesensa Logging Application, Praesideo Logging Application and Praesideo PC Call Station that allows unauthorized users to execute arbitrary code on the server machine. This exploitation can lead unauthorized access on the target system, compromising the security and integrity of the application.

Affected Products

• Bosch Praesensa Logging Application
  • CVE-2024-25104, CVE-2024-25105
    • Version(s): <= 1.91
• Bosch Praesideo Logging Application
  • CVE-2024-25104, CVE-2024-25105
    • Version(s): <= 4.44
• Bosch Praesideo PC Call Station
  • CVE-2024-25104, CVE-2024-25105
    • Version(s): <= 4.44

Solution and Mitigations

Solution: Software Update

Upgrade the software of the logging application and/or PC Call Station application to a non-vulnerable version. Refer to the appendix for installation information.

Mitigation 1: Limit usage to localhost only

Only when upgrade of the software is not possible run the logging application viewer and server on the same machine and close the communication port in the firewall to disable remote access. The same applies to the PC call station application client and server. The following ports are used by default by the server applications:

• Praesensa logging server: port 19451

• Praesideo logging server: port 9451

• Praesideo PC Call station server: port 9452

Limitation to local host and rejecting remote connections can also be achieved by adapting the server application configuration file by replacing the line describing the channel configuration by:

<channel ref="tcp" port=“<portnr>” rejectRemoteRequests="true" useIpAddress="true">

With <portnr> the current configured port number. The configuration file is typically located here:

Praesensa logging server:

“C:\Program Files (x86)\Bosch\Praesensa Logging Server\Bosch.Praesensa.LoggingApplication.Server.exe.config”

Praesideo logging server (for version 4.43):

“C:\Program Files (x86)\Bosch\Praesideo V4.43.6145\Programs\Logging

Server\Bosch.Praesideo.LoggingApplication.Server.exe.config”

Praesideo PC Call station server (for version 4.43):

“C:\Program Files (x86)\Bosch\Praesideo V4.43.6145\Programs\PCCstService\PCCstService.exe.config”

Mitigation 2: Isolate the system

Only when upgrade of the software and the limitation to run server and client on the same machine is not possible; make sure that the network is protected against unauthorized usage. We disadvise using this is as the sole mitigation.

Vulnerability Details

CVE-2024-25104

CVE description: Remote code execution that allows unauthorized users to execute arbitrary code on the server machine.

• Problem Type:
  • CWE-642 External Control of Critical State Data
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Base Score: 9.8 (Critical)

CVE-2024-25105

CVE description: Unencrypted service

• Problem Type:
  • CWE-319 Cleartext Transmission of Sensitive Information
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
  • Base Score: 8.1 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Praesensa applications: https://commerce.boschsecurity.com/us/en/System-controller-large/p/F.01U.325.042/
• [2] Praesideo applications: https://commerce.boschsecurity.com/us/en/Network-controller/p/F.01U.396.292/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 15 May 2024: Initial Publication

Appendix

Material list

Affected application installations

The following applications require an install:

• Praesensa logging application version 2.00 or higher:

  • Praesensa Logging Application Server

  • Praesensa Logging Application Viewer

• Praesideo logging application version 4.45 or higher:

  • Praesideo Open Interface Library

  • Praesideo Logging Application Server

  • Praesideo Logging Application Viewer

• Praesideo PC Call Station application version 4.45 or higher:

  • PC Call Server

  • PC Call Server Configuration Client

  • PC Call Station Client

  • PC Telephone interface Client

An upgrade of the device firmware of the Praesensa and Praesideo devices is not needed. The updated Logging Application and Call Station Application are compatible with the majority of the current installed firmware versions:

• Praesensa:

  • Logging application: all versions <= 1.91

• Praesideo:

  • Logging applications: all versions from version 3.05. Versions < 3.05 may need to upgrade the device firmware to a version >= 3.05

  • PC Call Station: all versions from 3.60. A 3.x license is sufficient for the 4.x PC Call Station upgrade. Praesideo versions < 3.60 need to be upgraded to a version >= 3.60.