Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000

BOSCH-SA-454166-BT

Advisory Information

Advisory ID: BOSCH-SA-454166-BT
CVE Numbers and CVSS v3.1 Scores:
- CVE-2022-40183
  - Base Score: 5.8 (Medium)
- CVE-2022-40184
  - Base Score: 5.1 (Medium)
Published: 19 Oct 2022
Last Updated: 18 Jan 2023

Summary

The possibility for a reflected Cross Site Scripting (XSS) and stored Cross Site Scripting (XSS) attack was discovered in the Bosch VIDEOJET multi 4000.

For more details please see the description of the vulnerability in this advisory.

Bosch rates this vulnerability with CVSSv3.1 base score 5.8 (medium) and 5.1 (medium), where the final rating depends on the customer’s environment.

Customers are advised to update to the fixed version or follow listed mitigations.

Affected Products

Bosch VIDEOJET multi 4000
- CVE-2022-40183, CVE-2022-40184
  - Version(s): <= 6.31.0010

Solution and Mitigations

Software Updates

The recommended approach is to update the Bosch VIDEOJET multi 4000 to the fixed version. Please refer to appendix for list of affected versions and available updates.

A reboot is required after applying the update. To check whether the update has been successfully applied, please check the version e.g. in the web based interface (Service - System Overview).

If the update is not possible in a target environment, users are recommended to follow the mitigations described in the following section.

Secure Configuration Environment

It is advised to use a Bosch tool like the Configuration Manager to configure the encoder, that is not vulnerable to issues like XSS (Cross Site Scripting) or CSRF (Cross Site Request Forgery).

When using the web based configuration interface and currently being logged in as an administrator, some security precautions can be taken to mitigate XSS or CSRF vulnerabilities:

No other websites or email content should be opened as long as the session to the encoder is active.
No links should be clicked from an untrusted external source that link back to the encoder.
Use a different browser than the system default browser to open a session to the encoder as there is no XSS or CSRF between browsers.
Always log out and/or close the browser (not only the tab) to clear any session data.

Secure Administration

A stored XSS attack is only possible when an user with administrative rights is able to save malicious JavaScript code on the device. Only trusted users should have access to the administrative interface and common security rules for administrative credentials should be followed (e.g. using strong, unique passwords).

Vulnerability Details

CVE-2022-40183

CVE description: An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.

Problem Type:
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
- Base Score: 5.8 (Medium)

CVE-2022-40184

CVE description: Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.

Problem Type:
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
- Base Score: 5.1 (Medium)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

18 Jan 2023: Added fix for vulnerability
19 Oct 2022: Initial Publication

Appendix

Affected Products

Bosch VIDEOJET multi 4000

Affected VIDEOJET multi 4000 firmware	Name of version to fix the vulnerability
6.31.0010 and earlier	6.31.0019

VIDEOJET multi Download Area

Material Lists

VIDEOJET multi 4000

Family Name	CTN	SAP#	Material description
VIDEOJET multi 4000	VJM-4016	F.01U.298.670	VIDEOJET multi 4000
VIDEOJET multi 4000 EU	VJM-4016-EU	F.01U.296.122	VIDEOJET multi 4000 EU
VIDEOJET multi 4000 US	VJM-4016-US	F.01U.298.556	VIDEOJET multi 4000 US