Unrestricted resource consumption in BVMS

BOSCH-SA-162032-BT

Advisory Information

Advisory ID: BOSCH-SA-162032-BT
CVE Numbers and CVSS v3.1 Scores:
- CVE-2024-33618
  - Base Score: 7.5 (High)
Published: 16 Oct 2024
Last Updated: 16 Oct 2024

Summary

A vulnerability has been identified in the Bosch VMS Central Server concerning unrestricted resource consumption, leading to excessive use of disk space. The uncontrolled resource consumption can lead to a significant impact on the availability and performance of the affected system. This can result in the inability to store new data, process incoming requests, and perform essential system functions. In severe cases, it may lead to system crashes and data loss.

Affected Products

Bosch BVMS
- CVE-2024-33618
  - Version(s): 6.0 - 12.0.1 (including)
Bosch BVMS Viewer
- CVE-2024-33618
  - Version(s): 8.0 - 12.0.1 (including)
Bosch DIVAR IP 7000 R2
- CVE-2024-33618
  - Version(s): 9.0 - 12.0.1 (including)
Bosch DIVAR IP all-in-one 5000
- CVE-2024-33618
  - Version(s): 9.0 - 12.0.1 (including)
Bosch DIVAR IP all-in-one 7000
- CVE-2024-33618
  - Version(s): 6.0 - 12.0.1 (including)
Bosch DIVAR IP all-in-one 7000 R3
- CVE-2024-33618
  - Version(s): 10.1 - 12.0.1 (including)
Bosch DIVAR IP all-in-one 4000
- CVE-2024-33618
  - Version(s): 11.1.1 - 12.0.1 (including)
Bosch DIVAR IP all-in-one 6000
- CVE-2024-33618
  - Version(s): 11.1.1 - 12.0.1 (including)

Solution and Mitigations

Software Updates

The recommended approach is to update the software to a fixed version as soon as possible. Please check the Appendix for a list of updated versions for each affected product.

Secure Network Resources

It is advised to protect network access to Bosch VMS Central Server. Network administrators should implement the following recommendations in conjunction with laws, regulations, and industry best practices:

Segment and segregate networks
Monitor the network and review logs
Monitor resource usage and implement automated alerts for abnormal behavior on Bosch VMS Central Server

Vulnerability Details

CVE-2024-33618

CVE description: Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface.

Problem Type:
- CWE-400 Uncontrolled Resource Consumption
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Base Score: 7.5 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example, to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, for example, in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] BVMS Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMS
[2] BVMS Viewer Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMSVWR
[3] BVMS Appliances (DIVAR IP) Download Area: https://downloadstore.boschsecurity.com/?type=DIPBVMS

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

16 Oct 2024: Initial Publication

Appendix

Fixes for the Affected Products

BVMS

Affected versions	Version or patch that fixes the vulnerability
12.0.1	BVMS1201375_Patch_CCBlackCamSSH_454258,440210,438736,435719.zip

BVMS Download Area

BVMS Viewer

Affected versions	Version or patch that fixes the vulnerability
12.0.1	BVMS1201375_VWR_Patch_CCBlackCamSSH_454258,440210,438736,435719.zip

BVMS Viewer Download Area

Bosch DIVAR IP all-in-one 7000 R3

Affected BVMS versions	Version or patch that fixes the vulnerability
12.0.1	BVMS_12.0.1_Updates_SystemManager_package_1.2.zip

BVMS Appliances Download Area

Bosch DIVAR IP 7000 R2

Affected BVMS versions	Version or patch that fixes the vulnerability
12.0.1	BVMS_12.0.1_Updates_SystemManager_package_1.2.zip

BVMS Appliances Download Area

Bosch DIVAR IP all-in-one 5000

Affected BVMS versions	Version or patch that fixes the vulnerability
12.0.1	BVMS_12.0.1_Updates_SystemManager_package_1.2.zip

BVMS Appliances Download Area

Bosch DIVAR IP all-in-one 7000

Affected BVMS versions	Version or patch that fixes the vulnerability
12.0.1	BVMS_12.0.1_Updates_SystemManager_package_1.2.zip

BVMS Appliances Download Area

DIVAR IP all-in-one 4000

Affected BVMS versions	Version or patch that fixes the vulnerability
12.0.1	BVMS_12.0.1_Updates_SystemManager_package_1.2.zip

BVMS Appliances Download Area

DIVAR IP all-in-one 6000

Affected BVMS versions	Version or patch that fixes the vulnerability
12.0.1	BVMS_12.0.1_Updates_SystemManager_package_1.2.zip

BVMS Appliances Download Area

Material Lists

BVMS

Family Name	CTN	SAP#	Material description
BVMS Professional 12.0.1	MBV-BPRO	F.01U.393.647	License Professional base
BVMS Plus 12.0.1	MBV-BPLU	F.01U.393.650	License Plus base
BVMS Plus 12.0.1 DIP	MBV-BPLU-DIP	F.01U.374.503	License Plus base for DIVAR IP
BVMS Viewer 12.0.1	MBV-BVWR	F.01U.393.649	License Viewer base
BVMS Lite 12.0.1	MBV-BLIT	F.01U.393.648	License Lite base
BVMS Lite 12.0.1 DIP	MBV-BLIT-DIP	F.01U.358.975	License Lite base for DIVAR IP

Bosch DIVAR IP 7000 R2

Family Name	CTN	SAP#	Material description
DIVAR IP 7000 R2	DIP-7180-00N	F.01U.314.520	DIVAR IP 7000 2U w/o HDD
DIVAR IP 7000 R2	DIP-7183-4HD	F.01U.314.521	DIVAR IP 7000 2U 4x3TB
DIVAR IP 7000 R2	DIP-7183-8HD	F.01U.314.522	DIVAR IP 7000 2U 8x3TB
DIVAR IP 7000 R2	DIP-7184-4HD	F.01U.314.523	DIVAR IP 7000 2U 4x4TB
DIVAR IP 7000 R2	DIP-7184-8HD	F.01U.314.524	DIVAR IP 7000 2U 8x4TB
DIVAR IP 7000 R2	DIP-71F0-00N	F.01U.314.525	DIVAR IP 7000 3U w/o HDD
DIVAR IP 7000 R2	DIP-71F3-16HD	F.01U.314.526	DIVAR IP 7000 3U 16x3TB
DIVAR IP 7000 R2	DIP-71F4-16HD	F.01U.314.527	DIVAR IP 7000 3U 16x4TB
DIVAR IP 7000 R2	DIP-7186-8HD	F.01U.329.143	DIVAR IP 7000 2U 8x6TB
DIVAR IP 7000 R2	DIP-7188-8HD	F.01U.329.144	DIVAR IP 7000 2U 8x8TB
DIVAR IP 7000 R2	DIP-71F6-16HD	F.01U.329.145	DIVAR IP 7000 3U 16x6TB
DIVAR IP 7000 R2	DIP-71F8-16HD	F.01U.329.146	DIVAR IP 7000 3U 16x8TB
DIVAR IP 7000 R2	DIP-7184-8HD-WAG	F.01U.343.277	DIVAR IP 7000 2U 8x4TB, WAG Kit

Bosch DIVAR IP all-in-one 5000

Family Name	CTN	SAP#	Material description
DIVAR IP all-in-one 5000	DIP-5240IG-00N	F.01U.361.821	Management Appliance w/o HDD
DIVAR IP all-in-one 5000	DIP-5244IG-4HD	F.01U.362.424	Management Appliance 4x4TB
DIVAR IP all-in-one 5000	DIP-5248IG-4HD	F.01U.362.423	Management Appliance 4x8TB
DIVAR IP all-in-one 5000	DIP-524CIG-4HD	F.01U.362.422	Management Appliance 4x12TB
DIVAR IP all-in-one 5000	DIP-5240GP-00N	F.01U.359.551	Management Appliance GPU wo HD
DIVAR IP all-in-one 5000	DIP-5244GP-4HD	F.01U.359.552	Management Appliance GPU 4x4TB
DIVAR IP all-in-one 5000	DIP-5248GP-4HD	F.01U.359.553	Management Appliance GPU 4x8TB
DIVAR IP all-in-one 5000	DIP-524CGP-4HD	F.01U.359.554	Management Appliance GPU 4x12TB

Bosch DIVAR IP all-in-one 7000

Family Name	CTN	SAP#	Material description
DIVAR IP all-in-one 7000	DIP-7280-00N	F.01U.362.591	2U Management Appliance w/o HD
DIVAR IP all-in-one 7000	DIP-7284-8HD	F.01U.362.592	2U Management Appliance 8x4TB
DIVAR IP all-in-one 7000	DIP-7288-8HD	F.01U.362.593	2U Management Appliance 8x8TB
DIVAR IP all-in-one 7000	DIP-728C-8HD	F.01U.362.594	2U Management Appliance 8x12TB
DIVAR IP all-in-one 7000	DIP-72G0-00N	F.01U.362.595	3U Management Appliance wo HDD
DIVAR IP all-in-one 7000	DIP-72G8-16HD	F.01U.362.596	3U Management Appliance 16x8TB
DIVAR IP all-in-one 7000	DIP-72GC-16HD	F.01U.362.597	3U Management Appliance 16x12T

DIVAR IP all-in-one 7000 R3

Family Name	CTN	SAP#	Material description
DIVAR IP all-in-one 7000	DIP-7380-00N	F.01U.385.539	Management appliance 2U without HD
DIVAR IP all-in-one 7000	DIP-7384-8HD	F.01U.385.540	Management appliance 2U 8X4TB
DIVAR IP all-in-one 7000	DIP-7388-8HD	F.01U.385.541	Management appliance 2U 8X8 TB
DIVAR IP all-in-one 7000	DIP-738C-8HD	F.01U.385.542	Management appliance 2U 8X12 TB
DIVAR IP all-in-one 7000	DIP-73G0-00N	F.01U.385.543	Management appliance 3U without HD
DIVAR IP all-in-one 7000	DIP-73G8-16HD	F.01U.385.544	Management appliance 3U 16X8TB
DIVAR IP all-in-one 7000	DIP-73GC-16HD	F.01U.385.545	Management appliance 3U 16X12 TB

DIVAR IP all-in-one 4000

Family Name	CTN	SAP#	Material description
DIVAR IP all-in-one 4000	DIP-4420IG-00N	F.01U.404.040	Management appliance w/o HDD
DIVAR IP all-in-one 4000	DIP-4424IG-2HD	F.01U.404.041	Management appliance 2x4TB
DIVAR IP all-in-one 4000	DIP-4428IG-2HD	F.01U.404.042	Management appliance 2x8TB
DIVAR IP all-in-one 4000	DIP-442IIG-2HD	F.01U.404.043	Management appliance 2x18TB

DIVAR IP all-in-one 6000

Family Name	CTN	SAP#	Material description
DIVAR IP all-in-one 6000	DIP-6440IG-00N	F.01U.404.045	Management appliance 1U w/o HDD
DIVAR IP all-in-one 6000	DIP-6444IG-4HD	F.01U.404.046	Management appliance 1U 4x4TB
DIVAR IP all-in-one 6000	DIP-6448IG-4HD	F.01U.404.047	Management appliance 1U 4x8TB
DIVAR IP all-in-one 6000	DIP-644IIG-4HD	F.01U.404.048	Management appliance 1U 4x18TB