Vulnerability for Windows Remote Desktop Services (RDP) Remote Code Execution
- Advisory ID: BOSCH-SA-425803-BT
CVE Numbers and Scores:
- Base Score: 9.8 (Critical)
- Published: 12 Jun 2019
- Last Updated: 12 Jun 2019
On May 14th 2019, information related to the Remote Desktop Services Remote Code Execution Vulnerability of Microsoft Windows operating system was published. The flaw affects the following operating systems used by Bosch Security and Safety systems products:
- Windows 7 (32-bit/x64)
- Windows Server 2008 (32-bit/x64/Itanium)
- Windows Server 2008 R2 (32-bit/x64/Itanium)
Bosch relies on a Microsoft Windows operating system for several products. Consequently, some devices are affected by the corresponding vulnerability. Depending on the products category, different configurations may be distinguished.
Category A: Directly affected devices, by default reachable via network on the vulnerable RDP Port 3389.
- DIVAR IP 3000
- DIVAR IP 6000 (only with Windows Storage Server 2008 R2)
- DIVAR IP 7000 (only with Windows Storage Server 2008 R2)
- HP Workstation (only with Windows 7)
- HP Server DL 380 (only with Windows Server 2008 R2)
Category B: Devices shipped by default with deactivated RDP, which can be re-enabled by the customer.
- DIVAR IP 2000
Category C: Devices shipped with disabled RDP services and additional firewall rules.
- VIDEOJET decoder 7000
- VIDEOJET decoder 8000
Bosch DIVAR IP 2000 with configuration: RDP services explicitly re-enabled
Bosch DIVAR IP 3000
Bosch DIVAR IP 6000 on: Windows Storage Sever 2008 R2
Bosch DIVAR IP 7000 on: Windows Storage Sever 2008 R2
Bosch HP Server DL380 on: Windows Server 2008 R2
Bosch HP Workstation on: Windows 7
Bosch VIDEOJET decoder 7000 is not affected
Bosch VIDEOJET decoder 8000 is not affected
Solution and Mitigations
Software and Firmware Update
It is recommended for any Bosch device to update its operating system and supported firmware to the latest patch level. Microsoft provides for this vulnerability additional information on its homepage. For products of each category, an individual approach is advised:
- Category A: Please log into the system with an administrative account (e.g. BVRAdmin) and install the CVE-2019-0708 patch either manually from the Microsoft website or via the auto update feature of the operating system.
- Category B: Please deactivate the devices debugging RDP service. Use the debugging feature only in a secure network environment. The necessary operating system patches will be included in the next firmware release.
- Category C: The RDP service is not accessible in any configuration. No action or fix is required.
Disable Remote Desktop Services
If you no longer need Remote Desktop Services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.
A prerequisite for a successful attack is network access to the RDP service on port 3389 on the targeted Windows operating system. Firewalled and systems with the latest security updates are not vulnerable.
CVE description: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.
- Remote Code Execution
CVSS Vector String:
- CVSS 3.0 Base Score: 9.8 (Critical)
Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
(pdf) Bosch Building Technologies Security Advisory
 Microsoft Advisory for CVE-2019-0708
 Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: firstname.lastname@example.org .
12 Jun 2019: Initial Publication