Bosch PSIRT

Path Traversal in Bosch Video Management System NoTouch deployment

BOSCH-SA-815013-BT

Advisory Information

  • Advisory ID: BOSCH-SA-815013-BT
  • CVE Numbers and Scores:
  • Published: 29 Jan 2020
  • Last Updated: 11 Feb 2020

Summary

A path traversal vulnerability exists in the BVMS NoTouch deployment. If this vulnerability is exploited, an unauthenticated attacker without local shell access to a BVMS Central Server system is able to fetch arbitrary data from the file system of the Central Server computer. Under specific circumstances an attack can also be executed from the internet. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 8.6 (High) and strongly recommends customers to update vulnerable components with fixed software versions.

The vulnerability was found during internal security tests.

Affected Products

  • Bosch BVMS Viewer <= 7.5
  • Bosch BVMS Viewer <= 8.0.0.329 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch BVMS Viewer <= 9.0.0.827 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch BVMS Viewer <= 10.0.0.1225 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch Video Management System <= 7.5
  • Bosch Video Management System <= 8.0.0.329 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch Video Management System <= 9.0.0.827 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch Video Management System <= 10.0.0.1225 with configuration: ‘patch for security issue 211404, 241463 not installed’
  • Bosch DIVAR IP 3000 with configuration: ‘vulnerable BVMS version installed’
  • Bosch DIVAR IP 7000 with configuration: ‘vulnerable BVMS version installed’
  • Bosch DIVAR IP all-in-one 5000 with configuration: ‘vulnerable BVMS version installed’

Solution and Mitigations

Software Updates

The recommended approach is to update the software of the affected Bosch product to a fixed version (see [1] ). If an update is not possible in a timely manner, the temporary workaround can be utilized.

Deactivating the Vulnerable Service

The vulnerability can be mitigated by deactivating the BVMS NoTouch deployment service via a Central Server application configuration file. This temporary workaround will also switch off the corresponding functionality completely.

To deactivate the vulnerable service:

  • Open the following configuration file:
    X:\Program Files\Bosch\AppData\Server\CentralServer\ServerDependenciesInjection.xml
  • Find the following lines:
    <entry key="NoTouchDeploymentService.rem"><ref object="NoTouchDeploymentService" /></entry>
  • Comment them out. The modified lines should look like the following:
    <!-- <entry key="NoTouchDeploymentService.rem"><ref object="NoTouchDeploymentService" /></entry> -->
  • Restart the Central Service

Firewalling (Network)

It is advised that the devices should not be exposed directly to the internet or other insecure networks.

Vulnerability Details

CVE-2020-6768

Attacks can be performed over the network, no physical access is required. The attack complexity is low, a potential attacker does not need to possess any specific knowledge or any specific controlled conditions within the target environment. Successful attacks can be performed without prior authentication against the target system and without end user interaction.

The vulnerable component is the BVMS service. An impacted component is the entire file system of the server operating system, where BVMS server is running.

Successful attacks have critical confidentiality impacts.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 11 Feb 2020: Correct first listing of affected products after summary. DIVAR IP 3000 was missing.
  • 29 Jan 2020: Initial Publication

Affected Hardware

DIVAR IP versions Affected versions Name of the patch to fix the vulnerability
DIVAR IP versions
DIVAR IP 3000
Affected versions
See BVMS
Name of the patch to fix the vulnerability
See BVMS
DIVAR IP versions
DIVAR IP 7000
Affected versions
See BVMS
Name of the patch to fix the vulnerability
See BVMS
DIVAR IP versions
DIVAR IP all-in-one 5000
Affected versions
See BVMS
Name of the patch to fix the vulnerability
See BVMS

Affected Software

BVMS versions Affected versions Name of the patch to fix the vulnerability
BVMS versions
10.0
Affected versions
10.0.0.1225
Name of the patch to fix the vulnerability
BVMS10001225_Patch_SecurityIssue_211404_241463.zip
BVMS versions
9.0
Affected versions
9.0.0.827
Name of the patch to fix the vulnerability
BVMS900827_Patch_SecurityIssue_211404_241463.zip
BVMS versions
8.0
Affected versions
8.0.0.329
Name of the patch to fix the vulnerability
BVMS800329_Patch_SecurityIssue_211404_241463.zip
BVMS versions
7.5 and older
Affected versions
Name of the patch to fix the vulnerability
Not provided (please upgrade BVMS to the latest version)
BVMS
BVMS Viewer versions Affected versions Name of the patch to fix the vulnerability
BVMS Viewer versions
10.0
Affected versions
10.0.0.1225
Name of the patch to fix the vulnerability
BVMS10001225_VWR_Patch_SecurityIssue_211404_241463.zip
BVMS Viewer versions
9.0
Affected versions
9.0.0.827
Name of the patch to fix the vulnerability
BVMS900827_VWR_Patch_SecurityIssue_211404_241463.zip
BVMS Viewer versions
8.0
Affected versions
8.0.0.329
Name of the patch to fix the vulnerability
BVMS800329_VWR_Patch_SecurityIssue_211404_241463.zip
BVMS Viewer versions
7.5 and older
Affected versions
Name of the patch to fix the vulnerability
Not provided (please upgrade BVMS to the latest version)
BVMS Viewer