Missing Authentication for Critical Function in Bosch Video Streaming Gateway
BOSCH-SA-260625-BT
Advisory Information
- Advisory ID: BOSCH-SA-260625-BT
-
CVE Numbers and Scores:
-
CVE-2020-6769
- Base Score: 10.0 (Critical)
-
CVE-2020-6769
- Published: 29 Jan 2020
- Last Updated: 29 Jan 2020
Summary
A recently discovered security vulnerability affects the Bosch Video Streaming Gateway (VSG). The vulnerability is exploitable via the network interface. An unauthorized attacker can retrieve and set arbitrary configuration data of the VSG. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 10.0 (Critical) and strongly recommends customers to update vulnerable components with fixed software versions.
The vulnerability was discovered during internal security tests.
Affected Products
- Bosch DIVAR IP 2000 <= 3.62.0019 with configuration: ‘port 8023 on device's firewall opened explicitly and vulnerable VSG version installed’
- Bosch DIVAR IP 3000 with configuration: ‘vulnerable VSG version installed’
- Bosch DIVAR IP 5000 <= 3.80.0039 with configuration: ‘port 8023 on device's firewall opened explicitly and vulnerable VSG version installed’
- Bosch DIVAR IP 7000 with configuration: ‘vulnerable VSG version installed’
- Bosch DIVAR IP all-in-one 5000 with configuration: ‘vulnerable VSG version installed’
- Bosch Video Streaming Gateway 6.42 and older <= 6.42.10
- Bosch Video Streaming Gateway 6.43 <= 6.43.0023
- Bosch Video Streaming Gateway 6.44 <= 6.44.0030
- Bosch Video Streaming Gateway 6.45 <= 6.45.08
Solution and Mitigations
Software Updates
The recommended approach is to update the software of affected Bosch products to a fixed version. If an update is not possible in a timely manner, a firewall with corresponding port settings on every VSG server machine prevents attacks over the network. A list of affected Software and Hardware and fixed versions is available in [1] .
Firewalling (Network)
It is advised to block the corresponding telnet port on machines hosting the VSG service. Each instance of the VSG service has an own dedicated port:
- VSG Instance 1 uses port 8023
- VSG Instance 2 uses port 8024
- VSG Instance 3 uses port 8025
- VSG Instance 4 uses port 8026
- VSG Instance 5 uses port 8027
- VSG Instance 6 uses port 8028
- VSG Instance 7 uses port 8029
Vulnerability Details
CVE-2020-6769
Attacks can be performed over the network, no physical access is required. The complexity of the attack is low as a potential attacker does not require any specific knowledge or any specifically controlled conditions on the target environment. Successful attacks can be performed without prior authentication against the target system and without end user interaction.
The vulnerable component is the VSG service. Impacted are the VSG service itself and all cameras configured to be controlled by the VSG as well as the recording storage associated to the VSG.
Successful attacks impact the confidentiality, integrity and availability of live and recorded video data.
- Problem Type:
-
CVSS Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Base Score: 10.0 (Critical)
Remark
Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] Appendix: Affected Products - Software, Hardware and Fixed Versions: https://psirt.bosch.com/security-advisories/BOSCH-SA-260625-BT.html#appendix
- [2] Bosch Building Technologies Security Advisory Page: https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html
- [3] DIVAR IP Download Store: https://downloadstore.boschsecurity.com/index.php?type=DIP
- [4] VSG Download Store: https://downloadstore.boschsecurity.com/index.php?type=VSG
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 29 Jan 2020: Initial Publication
Affected Hardware
| DIVAR IP with BVMS | Vulnerable versions (until and including) | Fixed or non-vulnerable firmware versions (and later) |
|---|---|---|
|
DIVAR IP with BVMS
DIVAR IP 3000
|
Vulnerable versions (until and including)
See VSG with BVMS
|
Fixed or non-vulnerable firmware versions (and later)
See VSG with BVMS
|
|
DIVAR IP with BVMS
DIVAR IP 7000
|
Vulnerable versions (until and including)
See VSG with BVMS
|
Fixed or non-vulnerable firmware versions (and later)
See VSG with BVMS
|
|
DIVAR IP with BVMS
DIVAR IP all-in-one 5000
|
Vulnerable versions (until and including)
See VSG with BVMS
|
Fixed or non-vulnerable firmware versions (and later)
See VSG with BVMS
|
| DIVAR IP without BVMS | Vulnerable versions (until and including) | Fixed or non-vulnerable firmware versions (and later) |
|---|---|---|
|
DIVAR IP without BVMS
DIVAR IP 2000
|
Vulnerable versions (until and including)
3.62.0019
|
Fixed or non-vulnerable firmware versions (and later)
3.62.0023
|
|
DIVAR IP without BVMS
DIVAR IP 5000
|
Vulnerable versions (until and including)
3.80.0039
|
Fixed or non-vulnerable firmware versions (and later)
3.80.0044
|
Affected Software
| VSG versions | Corresponding BVMS version | Vulnerable versions (until and including) | Name of the patch to fix the vulnerability |
|---|---|---|---|
|
VSG versions
6.45
|
Corresponding BVMS version
9.0
|
Vulnerable versions (until and including)
6.45.08
|
Name of the patch to fix the vulnerability
6.45.10 (32 Bit)
|
|
VSG versions
6.44
|
Corresponding BVMS version
9.0
|
Vulnerable versions (until and including)
6.44.0030
|
Name of the patch to fix the vulnerability
6.45.10 (32 Bit)
|
|
VSG versions
6.43
|
Corresponding BVMS version
8.0
|
Vulnerable versions (until and including)
6.43.0023
|
Name of the patch to fix the vulnerability
6.43.0025 (32 Bit)
|
|
VSG versions
6.42 and older
|
Corresponding BVMS version
7.5 and older
|
Vulnerable versions (until and including)
6.42.10 and older
|
Name of the patch to fix the vulnerability
Please update your system to a version for which a fix is provided
|