Path Traversal in Bosch Video Management System NoTouch deployment

Advisory Information

• Advisory ID: BOSCH-SA-815013-BT
• CVE Numbers and Scores:
  • CVE-2020-6768
    • Base Score: 8.6 (High)
• Published: 29 Jan 2020
• Last Updated: 11 Feb 2020

Summary

A path traversal vulnerability exists in the BVMS NoTouch deployment. If this vulnerability is exploited, an unauthenticated attacker without local shell access to a BVMS Central Server system is able to fetch arbitrary data from the file system of the Central Server computer. Under specific circumstances an attack can also be executed from the internet. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 8.6 (High) and strongly recommends customers to update vulnerable components with fixed software versions.

The vulnerability was found during internal security tests.

Affected Products

• Bosch BVMS Viewer <= 7.5
• Bosch BVMS Viewer <= 8.0.0.329 with configuration: ‘patch for security issue 211404, 241463 not installed’
• Bosch BVMS Viewer <= 9.0.0.827 with configuration: ‘patch for security issue 211404, 241463 not installed’
• Bosch BVMS Viewer <= 10.0.0.1225 with configuration: ‘patch for security issue 211404, 241463 not installed’
• Bosch Video Management System <= 7.5
• Bosch Video Management System <= 8.0.0.329 with configuration: ‘patch for security issue 211404, 241463 not installed’
• Bosch Video Management System <= 9.0.0.827 with configuration: ‘patch for security issue 211404, 241463 not installed’
• Bosch Video Management System <= 10.0.0.1225 with configuration: ‘patch for security issue 211404, 241463 not installed’
• Bosch DIVAR IP 3000 with configuration: ‘vulnerable BVMS version installed’
• Bosch DIVAR IP 7000 with configuration: ‘vulnerable BVMS version installed’
• Bosch DIVAR IP all-in-one 5000 with configuration: ‘vulnerable BVMS version installed’

Solution and Mitigations

Software Updates

The recommended approach is to update the software of the affected Bosch product to a fixed version (see [1] ). If an update is not possible in a timely manner, the temporary workaround can be utilized.

Deactivating the Vulnerable Service

The vulnerability can be mitigated by deactivating the BVMS NoTouch deployment service via a Central Server application configuration file. This temporary workaround will also switch off the corresponding functionality completely.

To deactivate the vulnerable service:

• Open the following configuration file:
  X:\Program Files\Bosch\AppData\Server\CentralServer\ServerDependenciesInjection.xml
• Find the following lines:
  <entry key="NoTouchDeploymentService.rem"><ref object="NoTouchDeploymentService" /></entry>
• Comment them out. The modified lines should look like the following:
  <!-- <entry key="NoTouchDeploymentService.rem"><ref object="NoTouchDeploymentService" /></entry> -->
• Restart the Central Service

Firewalling (Network)

It is advised that the devices should not be exposed directly to the internet or other insecure networks.

Vulnerability Details

CVE-2020-6768

Attacks can be performed over the network, no physical access is required. The attack complexity is low, a potential attacker does not need to possess any specific knowledge or any specific controlled conditions within the target environment. Successful attacks can be performed without prior authentication against the target system and without end user interaction.

The vulnerable component is the BVMS service. An impacted component is the entire file system of the server operating system, where BVMS server is running.

Successful attacks have critical confidentiality impacts.

• Problem Type:
  • CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Base Score: 8.6 (High)

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Appendix: Affected Products - Software, Hardware and Fixed Versions: https://psirt.bosch.com/security-advisories/BOSCH-SA-815013-BT.html#appendix
• [2] Bosch Building Technologies Security Advisory Page: https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html
• [3] BVMS Download Store: https://downloadstore.boschsecurity.com/index.php?type=BVMS
• [4] BVMS Viewer Download Store: https://downloadstore.boschsecurity.com/index.php?type=BVMSVWR

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 11 Feb 2020: Correct first listing of affected products after summary. DIVAR IP 3000 was missing.
• 29 Jan 2020: Initial Publication