Bosch PSIRT

Two Vulnerabilities in Bosch Fire Monitoring System (FSM)

BOSCH-SA-332072-BT

Advisory Information

Summary

Two vulnerabilties have been discovered affecting the Bosch Fire Monitoring System (FSM-2500 and FSM-5000). The critical issue applies to FSM systems with versions 5.2 and lower.

Bosch rates these vulnerabilities with a CVSS v3.1 Base Score of 4.4 and 10.0 (medium and critical) and strongly recommends customers to update vulnerable components with fixed software versions.

The vulnerabilities have been discovered during internal product tests.

Affected Products

  • Bosch FSM-2500 <= 5.2
  • Bosch FSM-5000 <= 5.2

Solution and Mitigations

Software Updates

The recommended approach is to patch the software of affected Bosch products.

If an update is not possible in a timely manner, the temporary workaround can be utilized.

Company network

It is recommended that the workstation used to install FSM server shall not be logged onto a company network – neither before nor during or after installation.

It is a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials are not needed. Evaluate your servers and workstations to determine the requirements.

MSSQL Express

Reset the SQL system administrator password and change the SQL Connection password accordingly in the FSM System configuration (see TI 2265/2019 from BT-FIR distributed in December 2019).

The default “sa” password used during installation of the SQL express database shall be changed. It is very important to choose a strong password for the “sa” login.

Suggested procedure for changing the SQL System Administrator password:

  1. Reset the SQL system administrator password

    1. Download and install Microsoft SQL Server Management Studio Express; Make sure to choose the suitable Windows platform (x86 or x64);

    2. Open the application, and choose the authentication mode: “Windows Authentication”;

    3. Press “Connect” button and navigate to the Security ->Logins folder in the left side of your window; Right-click on “sa” and choose properties;

    4. Change the password with a complex one.

    5. Make sure that SQL Server allows the “sa” account to connect and has enough permissions; Navigate to Status -> and choose “Grant” and “Enabled” in the right side of the window.

    6. Press OK and exit Microsoft SQL Server Management Studio Express

  2. Change SQL Connection password in the FSM System configuration;

    1. Stop the service FSM Server in Windows Task Manager.

    2. Run the FSM System Configuration program (form Start Menu).

    3. Open the “Database” TAB, put the new password in the field and try “test connection” to check that everything is ok.

    4. If the connection is online, press OK button.

    5. Run the service FSM Server in Windows Task Manager.

Vulnerability Details

CVE-2020-6779

CVE description: Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system.

CVE-2020-6780

CVE description: Use of Password Hash With Insufficient Computational Effort in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows a remote attacker with admin privileges to dump the credentials of other users and possibly recover their plain-text passwords by brute-forcing the MD5 hash.

Remark

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 20 Jan 2021: Initial Publication

Appendix

Affected Software

FSM versions Affected versions Fixed versions
FSM-2500
5.2 and lower
5.6 and higher
FSM-5000
5.2 and lower
5.6 and higher