Multiple Curl vulnerabilities in the Git for Windows component of Bosch DIVAR IP all-in-one Devices

Advisory Information

• Advisory ID: BOSCH-SA-587194-BT
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2023-46218
    • Base Score: 6.5 (Medium)
  • CVE-2023-46219
    • Base Score: 5.3 (Medium)
  • CVE-2024-2004
    • Base Score: 3.5 (Low)
  • CVE-2024-2398
    • Base Score: 8.6 (High)
• Published: 7 Aug 2024
• Last Updated: 7 Aug 2024

Summary

DIVAR IP System Manager is a central user interface that provides an easy system setup, configuration and application software upgrades through an easily accessible web-based application.

Multiple Curl vulnerabilities in the Git for Windows component have been discovered in DIVAR IP System Manager versions prior to 2.3.2, affecting several Bosch DIVAR IP all-in-one models.

Affected Products

• Bosch DIVAR IP all-in-one 4000 (DIP-44xx)
  • CVE-2023-46218, CVE-2023-46219, CVE-2024-2004, CVE-2024-2398
    • Version(s): < DIVAR IP System Manager 2.3.2
• Bosch DIVAR IP all-in-one 6000 (DIP-64xx)
  • CVE-2023-46218, CVE-2023-46219, CVE-2024-2004, CVE-2024-2398
    • Version(s): < DIVAR IP System Manager 2.3.2
• Bosch DIVAR IP all-in-one 7000 (DIP-74xx)
  • CVE-2023-46218, CVE-2023-46219, CVE-2024-2004, CVE-2024-2398
    • Version(s): < DIVAR IP System Manager 2.3.2
• Bosch DIVAR IP all-in-one 7000 R3 (DIP-73xx)
  • CVE-2023-46218, CVE-2023-46219, CVE-2024-2004, CVE-2024-2398
    • Version(s): < DIVAR IP System Manager 2.3.2
• Bosch DIVAR IP all-in-one 7000 (DIP-72xx)
  • CVE-2023-46218, CVE-2023-46219, CVE-2024-2004, CVE-2024-2398
    • Version(s): < DIVAR IP System Manager 2.3.2
• Bosch DIVAR IP all-in-one 5000 (DIP-52xx)
  • CVE-2023-46218, CVE-2023-46219, CVE-2024-2004, CVE-2024-2398
    • Version(s): < DIVAR IP System Manager 2.3.2

Solution and Mitigations

Solution: Software Update

Customers are advised to upgrade the DIVAR IP System Manager to 2.3.2 version or later to fix all vulnerabilities listed in this advisory. Refer to the DIVAR IP System Manager Release Notes for the most appropriate upgrade process for your devices.

Vulnerability Details

CVE-2023-46218

CVE description: This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • Base Score: 6.5 (Medium)

CVE-2023-46219

When saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.

• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Base Score: 5.3 (Medium)

CVE-2024-2004

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

• Problem Type:
  • CWE-115 Misinterpretation of Input
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
  • Base Score: 3.5 (Low)

CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

• Problem Type:
  • CWE-772 Missing Release of Resource after Effective Lifetime
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
  • Base Score: 8.6 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Bosch Download Area https://downloadstore.boschsecurity.com/?type=DIPBVMS

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 7 Aug 2024: Initial Publication

Appendix

Material Lists

Bosch DIVAR IP all-in-one 4000 (DIP-44xx)

Bosch DIVAR IP all-in-one 6000 (DIP-64xx)

Bosch DIVAR IP all-in-one 7000 (DIP-74xx)

Bosch DIVAR IP all-in-one 7000 R3 (DIP-73xx)

Bosch DIVAR IP all-in-one 7000 (DIP-72xx)

Bosch DIVAR IP all-in-one 5000 (DIP-52xx)