Bosch PSIRT

Missing Authentication for Critical Function in Bosch Video Streaming Gateway

BOSCH-SA-260625-BT

Advisory Information

Summary

A recently discovered security vulnerability affects the Bosch Video Streaming Gateway (VSG). The vulnerability is exploitable via the network interface. An unauthorized attacker can retrieve and set arbitrary configuration data of the VSG. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 10.0 (Critical) and strongly recommends customers to update vulnerable components with fixed software versions.

The vulnerability was discovered during internal security tests.

Affected Products

  • Bosch DIVAR IP 2000 <= 3.62.0019 with configuration: ‘port 8023 on device's firewall opened explicitly and vulnerable VSG version installed’
  • Bosch DIVAR IP 3000 with configuration: ‘vulnerable VSG version installed’
  • Bosch DIVAR IP 5000 <= 3.80.0039 with configuration: ‘port 8023 on device's firewall opened explicitly and vulnerable VSG version installed’
  • Bosch DIVAR IP 7000 with configuration: ‘vulnerable VSG version installed’
  • Bosch DIVAR IP all-in-one 5000 with configuration: ‘vulnerable VSG version installed’
  • Bosch Video Streaming Gateway 6.42 and older <= 6.42.10
  • Bosch Video Streaming Gateway 6.43 <= 6.43.0023
  • Bosch Video Streaming Gateway 6.44 <= 6.44.0030
  • Bosch Video Streaming Gateway 6.45 <= 6.45.08

Solution and Mitigations

Software Updates

The recommended approach is to update the software of affected Bosch products to a fixed version. If an update is not possible in a timely manner, a firewall with corresponding port settings on every VSG server machine prevents attacks over the network. A list of affected Software and Hardware and fixed versions is available in [1] .

Firewalling (Network)

It is advised to block the corresponding telnet port on machines hosting the VSG service. Each instance of the VSG service has an own dedicated port:

  • VSG Instance 1 uses port 8023
  • VSG Instance 2 uses port 8024
  • VSG Instance 3 uses port 8025
  • VSG Instance 4 uses port 8026
  • VSG Instance 5 uses port 8027
  • VSG Instance 6 uses port 8028
  • VSG Instance 7 uses port 8029

Vulnerability Details

CVE-2020-6769

Attacks can be performed over the network, no physical access is required. The complexity of the attack is low as a potential attacker does not require any specific knowledge or any specifically controlled conditions on the target environment. Successful attacks can be performed without prior authentication against the target system and without end user interaction.

The vulnerable component is the VSG service. Impacted are the VSG service itself and all cameras configured to be controlled by the VSG as well as the recording storage associated to the VSG.

Successful attacks impact the confidentiality, integrity and availability of live and recorded video data.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 29 Jan 2020: Initial Publication

Affected Hardware

DIVAR IP with BVMS Vulnerable versions (until and including) Fixed or non-vulnerable firmware versions (and later)
DIVAR IP with BVMS
DIVAR IP 3000
Vulnerable versions (until and including)
See VSG with BVMS
Fixed or non-vulnerable firmware versions (and later)
See VSG with BVMS
DIVAR IP with BVMS
DIVAR IP 7000
Vulnerable versions (until and including)
See VSG with BVMS
Fixed or non-vulnerable firmware versions (and later)
See VSG with BVMS
DIVAR IP with BVMS
DIVAR IP all-in-one 5000
Vulnerable versions (until and including)
See VSG with BVMS
Fixed or non-vulnerable firmware versions (and later)
See VSG with BVMS
Bosch DIVAR IP with BVMS
DIVAR IP without BVMS Vulnerable versions (until and including) Fixed or non-vulnerable firmware versions (and later)
DIVAR IP without BVMS
DIVAR IP 2000
Vulnerable versions (until and including)
3.62.0019
Fixed or non-vulnerable firmware versions (and later)
3.62.0023
DIVAR IP without BVMS
DIVAR IP 5000
Vulnerable versions (until and including)
3.80.0039
Fixed or non-vulnerable firmware versions (and later)
3.80.0044
Bosch DIVAR IP 2000 and DIVAR IP 5000 (VRM/VSG only, without BVMS)

Affected Software

VSG versions Corresponding BVMS version Vulnerable versions (until and including) Name of the patch to fix the vulnerability
VSG versions
6.45
Corresponding BVMS version
9.0
Vulnerable versions (until and including)
6.45.08
Name of the patch to fix the vulnerability
6.45.10 (32 Bit)
VSG versions
6.44
Corresponding BVMS version
9.0
Vulnerable versions (until and including)
6.44.0030
Name of the patch to fix the vulnerability
6.45.10 (32 Bit)
VSG versions
6.43
Corresponding BVMS version
8.0
Vulnerable versions (until and including)
6.43.0023
Name of the patch to fix the vulnerability
6.43.0025 (32 Bit)
VSG versions
6.42 and older
Corresponding BVMS version
7.5 and older
Vulnerable versions (until and including)
6.42.10 and older
Name of the patch to fix the vulnerability
Please update your system to a version for which a fix is provided
Bosch Video Streaming Gateway (VSG) with BVMS