.NET Remote Code Execution Vulnerability in BVMS, BIS and AMS
BOSCH-SA-110112-BT
Advisory Information
- Advisory ID: BOSCH-SA-110112-BT
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2021-26701
- Base Score: 9.8 (Critical)
- CVE-2021-26701
- Published: 24 May 2023
- Last Updated: 24 May 2023
Summary
The Bosch Video Management System (BVMS), the Bosch Access Management System (AMS), and the Bosch Building Integration System (BIS) are using a vulnerable version of the Microsoft .NET package System.Text.Encodings.Web. The System.Text.Encodings.Web is a NuGet package from Microsoft, and Microsoft has published an advisory to provide information about a vulnerability in System.Text.Encodings.Web.
A remote code execution vulnerability exists in System.Text.Encodings.Web due to how text encoding is performed.
Affected Products
- Bosch AMS
- CVE-2021-26701
- Version(s): <= 5.0
- CVE-2021-26701
- Bosch BIS
- CVE-2021-26701
- Version(s): <= 4.9.2
- CVE-2021-26701
- Bosch BVMS
- CVE-2021-26701
- Version(s): > 11.0
- Version(s): <= 11.1.1
- CVE-2021-26701
- Bosch BVMS Viewer
- CVE-2021-26701
- Version(s): > 11.0
- Version(s): <= 11.1.1
- CVE-2021-26701
- Bosch DIVAR IP 7000 R2
- CVE-2021-26701
- Version(s): > 11.0
- Version(s): <= 11.1.1
- CVE-2021-26701
- Bosch DIVAR IP all-in-one 5000
- CVE-2021-26701
- Version(s): > 11.0
- Version(s): <= 11.1.1
- CVE-2021-26701
- Bosch DIVAR IP all-in-one 7000
- CVE-2021-26701
- Version(s): > 11.0
- Version(s): <= 11.1.1
- CVE-2021-26701
- Bosch DIVAR IP all-in-one 7000 R3
- CVE-2021-26701
- Version(s): > 11.0
- Version(s): <= 11.1.1
- CVE-2021-26701
- Bosch DIVAR IP all-in-one 4000
- CVE-2021-26701
- Version(s): 11.1.1
- CVE-2021-26701
- Bosch DIVAR IP all-in-one 6000
- CVE-2021-26701
- Version(s): 11.1.1
- CVE-2021-26701
Solution and Mitigations
Software Updates
The recommended approach is to update the software to a fixed version as soon as possible. Please check the Appendix for a list of updated versions for each affected product.
Mitigation
Bosch has not identified any mitigating factors for this vulnerability.
Vulnerability Details
CVE-2021-26701
CVE description: .NET Core Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24112.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Base Score: 9.8 (Critical)
Remarks
Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] BVMS Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMS
- [2] BVMS Viewer Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMSVWR
- [3] BVMS Appliances (DIVAR IP) Download Area: https://downloadstore.boschsecurity.com/?type=DIPBVMS
- [4] AMS Download Area: https://downloadstore.boschsecurity.com/?type=AMS
- [5] BIS Download Area: https://downloadstore.boschsecurity.com/?type=BIS
- [6] Security Advisory: https://github.com/advisories/GHSA-ghhp-997w-qr28
- [7] CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-26701
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 24 May 2023: Initial Publication
Appendix
Fixes for the Affected Products
BVMS
| Affected versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityIssue_399765,387477.zip
|
|
11.1.0
|
Upgrade to 11.1.1 and apply patch BVMS111165_Patch_SecurityIssue_399765,387477.zip
|
|
11.0
|
BVMS11001025_Patch_SecurityFlexi_399765,387477,349597,368355,374266.zip
|
BVMS Viewer
| Affected versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_VWR_Patch_SecurityIssue_399765,387477.zip
|
|
11.1.0
|
Upgrade to 11.1.1 and apply patch BVMS111165_VWR_Patch_SecurityIssue_399765,387477.zip
|
|
11.0
|
BVMS11001025_VWR_Patch_SecurityFlexi_399765,387477,349597,368355,374266.zip
|
Bosch DIVAR IP all-in-one 7000 R3
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
DIP-73_Installer_for_BVMS11.1.1_MR1.zip
or BVMS111165_Patch_SecurityIssue_399765,387477 in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip |
|
11.0
|
DIP-73_Installer_for_BVMS11.0_MR2.zip
|
Bosch DIVAR IP 7000 R2
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityIssue_399765,387477.zip
|
|
11.0
|
BVMS11001025_Patch_SecurityFlexi_399765,387477,349597,368355,374266.zip
|
Bosch DIVAR IP all-in-one 5000
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityIssue_399765,387477.zip
|
|
11.0
|
BVMS11001025_Patch_SecurityFlexi_399765,387477,349597,368355,374266.zip
|
Bosch DIVAR IP all-in-one 7000
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityIssue_399765,387477.zip
|
|
11.0
|
BVMS11001025_Patch_SecurityFlexi_399765,387477,349597,368355,374266.zip
|
DIVAR IP all-in-one 4000
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityIssue_399765,387477
in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip |
DIVAR IP all-in-one 6000
| Affected BVMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
11.1.1
|
BVMS111165_Patch_SecurityIssue_399765,387477
in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip |
Access Management System (AMS)
| Affected AMS versions | Version or patch that fixes the vulnerability |
|---|---|
|
4.0
|
AMS 5.0.1 (build version 5.1.7.0)
|
|
5.0
|
AMS 5.0.1 (build version 5.1.7.0)
|
Building Integration System (BIS)
| Affected BIS versions | Version or patch that fixes the vulnerability |
|---|---|
|
4.9
|
BIS 5.0 (build version 5.0.21100.0)
|
|
4.9.1
|
BIS 5.0 (build version 5.0.21100.0)
|
|
4.9.2
|
BIS 5.0 (build version 5.0.21100.0)
|
Material Lists
BVMS
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
BVMS Professional 11.1.1
|
MBV-BPRO
|
F.01U.393.647
|
License Professional base
|
|
BVMS Plus 11.1.1
|
MBV-BPLU
|
F.01U.393.650
|
License Plus base
|
|
BVMS Plus 11.1.1 DIP
|
MBV-BPLU-DIP
|
F.01U.374.503
|
License Plus base for DIVAR IP
|
|
BVMS Viewer 11.1.1
|
MBV-BVWR
|
F.01U.393.649
|
License Viewer base
|
|
BVMS Lite 11.1.1
|
MBV-BLIT
|
F.01U.393.648
|
License Lite base
|
|
BVMS Lite 11.1.1 DIP
|
MBV-BLIT-DIP
|
F.01U.358.975
|
License Lite base for DIVAR IP
|
|
BVMS Professional 11.1
|
MBV-BPRO
|
F.01U.393.647
|
License Professional base
|
|
BVMS Plus 11.1
|
MBV-BPLU
|
F.01U.393.650
|
License Plus base
|
|
BVMS Plus 11.1 DIP
|
MBV-BPLU-DIP
|
F.01U.374.503
|
License Plus base for DIVAR IP
|
|
BVMS Viewer 11.1
|
MBV-BVWR
|
F.01U.393.649
|
License Viewer base
|
|
BVMS Lite 11.1
|
MBV-BLIT
|
F.01U.393.648
|
License Lite base
|
|
BVMS Lite 11.1 DIP
|
MBV-BLIT-DIP
|
F.01U.358.975
|
License Lite base for DIVAR IP
|
|
BVMS Professional 11.0
|
MBV-BPRO
|
F.01U.393.647
|
License Professional base
|
|
BVMS Plus 11.0
|
MBV-BPLU
|
F.01U.393.650
|
License Plus base
|
|
BVMS Plus 11.0 DIP
|
MBV-BPLU-DIP
|
F.01U.374.503
|
License Plus base for DIVAR IP
|
|
BVMS Viewer 11.0
|
MBV-BVWR
|
F.01U.393.649
|
License Viewer base
|
|
BVMS Lite 11.0
|
MBV-BLIT
|
F.01U.393.648
|
License Lite base
|
|
BVMS Lite 11.0 DIP
|
MBV-BLIT-DIP
|
F.01U.358.975
|
License Lite base for DIVAR IP
|
Bosch DIVAR IP 7000 R2
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP 7000 R2
|
DIP-7180-00N
|
F.01U.314.520
|
DIVAR IP 7000 2U w/o HDD
|
|
DIVAR IP 7000 R2
|
DIP-7183-4HD
|
F.01U.314.521
|
DIVAR IP 7000 2U 4x3TB
|
|
DIVAR IP 7000 R2
|
DIP-7183-8HD
|
F.01U.314.522
|
DIVAR IP 7000 2U 8x3TB
|
|
DIVAR IP 7000 R2
|
DIP-7184-4HD
|
F.01U.314.523
|
DIVAR IP 7000 2U 4x4TB
|
|
DIVAR IP 7000 R2
|
DIP-7184-8HD
|
F.01U.314.524
|
DIVAR IP 7000 2U 8x4TB
|
|
DIVAR IP 7000 R2
|
DIP-71F0-00N
|
F.01U.314.525
|
DIVAR IP 7000 3U w/o HDD
|
|
DIVAR IP 7000 R2
|
DIP-71F3-16HD
|
F.01U.314.526
|
DIVAR IP 7000 3U 16x3TB
|
|
DIVAR IP 7000 R2
|
DIP-71F4-16HD
|
F.01U.314.527
|
DIVAR IP 7000 3U 16x4TB
|
|
DIVAR IP 7000 R2
|
DIP-7186-8HD
|
F.01U.329.143
|
DIVAR IP 7000 2U 8x6TB
|
|
DIVAR IP 7000 R2
|
DIP-7188-8HD
|
F.01U.329.144
|
DIVAR IP 7000 2U 8x8TB
|
|
DIVAR IP 7000 R2
|
DIP-71F6-16HD
|
F.01U.329.145
|
DIVAR IP 7000 3U 16x6TB
|
|
DIVAR IP 7000 R2
|
DIP-71F8-16HD
|
F.01U.329.146
|
DIVAR IP 7000 3U 16x8TB
|
|
DIVAR IP 7000 R2
|
DIP-7184-8HD-WAG
|
F.01U.343.277
|
DIVAR IP 7000 2U 8x4TB, WAG Kit
|
Bosch DIVAR IP all-in-one 5000
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 5000
|
DIP-5240IG-00N
|
F.01U.361.821
|
Management Appliance w/o HDD
|
|
DIVAR IP all-in-one 5000
|
DIP-5244IG-4HD
|
F.01U.362.424
|
Management Appliance 4x4TB
|
|
DIVAR IP all-in-one 5000
|
DIP-5248IG-4HD
|
F.01U.362.423
|
Management Appliance 4x8TB
|
|
DIVAR IP all-in-one 5000
|
DIP-524CIG-4HD
|
F.01U.362.422
|
Management Appliance 4x12TB
|
|
DIVAR IP all-in-one 5000
|
DIP-5240GP-00N
|
F.01U.359.551
|
Management Appliance GPU wo HD
|
|
DIVAR IP all-in-one 5000
|
DIP-5244GP-4HD
|
F.01U.359.552
|
Management Appliance GPU 4x4TB
|
|
DIVAR IP all-in-one 5000
|
DIP-5248GP-4HD
|
F.01U.359.553
|
Management Appliance GPU 4x8TB
|
|
DIVAR IP all-in-one 5000
|
DIP-524CGP-4HD
|
F.01U.359.554
|
Management Appliance GPU 4x12TB
|
Bosch DIVAR IP all-in-one 7000
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 7000
|
DIP-7280-00N
|
F.01U.362.591
|
2U Management Appliance w/o HD
|
|
DIVAR IP all-in-one 7000
|
DIP-7284-8HD
|
F.01U.362.592
|
2U Management Appliance 8x4TB
|
|
DIVAR IP all-in-one 7000
|
DIP-7288-8HD
|
F.01U.362.593
|
2U Management Appliance 8x8TB
|
|
DIVAR IP all-in-one 7000
|
DIP-728C-8HD
|
F.01U.362.594
|
2U Management Appliance 8x12TB
|
|
DIVAR IP all-in-one 7000
|
DIP-72G0-00N
|
F.01U.362.595
|
3U Management Appliance wo HDD
|
|
DIVAR IP all-in-one 7000
|
DIP-72G8-16HD
|
F.01U.362.596
|
3U Management Appliance 16x8TB
|
|
DIVAR IP all-in-one 7000
|
DIP-72GC-16HD
|
F.01U.362.597
|
3U Management Appliance 16x12T
|
DIVAR IP all-in-one 7000 R3
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 7000
|
DIP-7380-00N
|
F.01U.385.539
|
Management appliance 2U without HD
|
|
DIVAR IP all-in-one 7000
|
DIP-7384-8HD
|
F.01U.385.540
|
Management appliance 2U 8X4TB
|
|
DIVAR IP all-in-one 7000
|
DIP-7388-8HD
|
F.01U.385.541
|
Management appliance 2U 8X8 TB
|
|
DIVAR IP all-in-one 7000
|
DIP-738C-8HD
|
F.01U.385.542
|
Management appliance 2U 8X12 TB
|
|
DIVAR IP all-in-one 7000
|
DIP-73G0-00N
|
F.01U.385.543
|
Management appliance 3U without HD
|
|
DIVAR IP all-in-one 7000
|
DIP-73G8-16HD
|
F.01U.385.544
|
Management appliance 3U 16X8TB
|
|
DIVAR IP all-in-one 7000
|
DIP-73GC-16HD
|
F.01U.385.545
|
Management appliance 3U 16X12 TB
|
DIVAR IP all-in-one 4000
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 4000
|
DIP-4420IG-00N
|
F.01U.404.040
|
Management appliance w/o HDD
|
|
DIVAR IP all-in-one 4000
|
DIP-4424IG-2HD
|
F.01U.404.041
|
Management appliance 2x4TB
|
|
DIVAR IP all-in-one 4000
|
DIP-4428IG-2HD
|
F.01U.404.042
|
Management appliance 2x8TB
|
|
DIVAR IP all-in-one 4000
|
DIP-442IIG-2HD
|
F.01U.404.043
|
Management appliance 2x18TB
|
DIVAR IP all-in-one 6000
| Family Name | CTN | SAP# | Material description |
|---|---|---|---|
|
DIVAR IP all-in-one 6000
|
DIP-6440IG-00N
|
F.01U.404.045
|
Management appliance 1U w/o HDD
|
|
DIVAR IP all-in-one 6000
|
DIP-6444IG-4HD
|
F.01U.404.046
|
Management appliance 1U 4x4TB
|
|
DIVAR IP all-in-one 6000
|
DIP-6448IG-4HD
|
F.01U.404.047
|
Management appliance 1U 4x8TB
|
|
DIVAR IP all-in-one 6000
|
DIP-644IIG-4HD
|
F.01U.404.048
|
Management appliance 1U 4x18TB
|
Access Management System (AMS)
| Family Name | CTN | SAP# | Material Description |
|---|---|---|---|
|
AMS Professional
|
AMS-BPRO
|
F.01U.406.338
|
License Professional base
|
|
AMS Plus
|
AMS-BPLU
|
F.01U.406.305
|
License Plus base
|
|
AMS Lite
|
AMS-BLIT
|
F.01U.406.304
|
License Lite base
|
|
Access Management System 4.0
|
AMS-BASE-LITE40
|
F.01U.395.556
|
Lite license
|
|
Access Management System 4.0
|
AMS-BASE-PLUS40
|
F.01U.395.557
|
Plus license
|
|
Access Management System 4.0
|
AMS-BASE-PRO40
|
F.01U.395.558
|
Pro license
|
Building Integration System (BIS)
| Family Name | CTN | SAP# | Material Description |
|---|---|---|---|
|
BIS 4.9
|
BIS-BASE-PLUS49
|
F.01U.395.599
|
Plus license (bundle)
|
|
BIS 4.9
|
BIS-BGEN-B49
|
F.01U.395.600
|
Basic license
|
|
BIS 4.9
|
BIS-BGEN-BAS49
|
F.01U.395.601
|
Basic license without alarm documents
|
|
BIS 4.8
|
BIS-BASE-PLUS48
|
F.01U.386.749
|
Plus license (bundle)
|
|
BIS 4.8
|
BIS-BGEN-B48
|
F.01U.386.750
|
Basic license
|
|
BIS 4.8
|
BIS-BGEN-BAS48
|
F.01U.392.550
|
Basic license without alarm documents
|
|
BIS 4.7
|
BIS-BASE-PLUS47
|
F.01U.363.006
|
Plus license (bundle)
|
|
BIS 4.7
|
BIS-BGEN-B47
|
F.01U.363.007
|
Basic license
|
|
BIS 4.7
|
BIS-BGEN-BAS47
|
F.01U.363.008
|
Basic license without alarm documents
|