Skip to main

Uncontrolled Search Path Element in Multiple Bosch Products

BOSCH-SA-835563-BT

Advisory Information

Summary

Multiple Bosch software applications are affected by a security vulnerability, which potentially allows an attacker to load additional code in the form of DLLs (commonly known as “DLL Hijacking” or “DLL Preloading”). This code is executed during the start of the vulnerable application and in the context of the user.

Bosch rates these vulnerabilities with a CVSS v3.1 Base Score of 7.8 (High) and recommends customers to use updated installers for (re)installations and to use updated versions of portable applications.

For BVMS and BVMS Viewer, customers are recommended to completely update the installed product to the latest version as not only the installer, but also parts of the products themselves are affected by the vulnerability.

If a software update is not provided, customers are recommended to follow the mitigations and workarounds described in this advisory.

The Bosch IP Helper vulnerability was discovered and disclosed to Bosch by the external researcher Nir Yehoshua.

The vulnerability in the Bosch Video Client Installer was discovered and disclosed to Bosch by the external researcher Eli Paz of CyberArk.

The vulnerability in the Bosch Monitor Wall Installer and Bosch Video Streaming Gateway Installer was discovered and disclosed to Bosch by the external researcher Dhiraj Mishra.

Affected Products

  • Bosch BVMS < 9.0.0
    • CVE-2020-6785
  • Bosch BVMS 10.0 < 10.0.2
    • CVE-2020-6785
  • Bosch BVMS 10.1 < 10.1.1
    • CVE-2020-6785
  • Bosch BVMS Viewer < 9.0.0
    • CVE-2020-6785
  • Bosch BVMS Viewer 10.0 < 10.0.2
    • CVE-2020-6785
  • Bosch BVMS Viewer 10.1 < 10.1.1
    • CVE-2020-6785
  • Bosch Configuration Manager <= 7.21.0078
    • CVE-2020-6788
  • Bosch DIVAR IP 7000 R2 with configuration: ‘using vulnerable BVMS version’
    • CVE-2020-6785
  • Bosch DIVAR IP all-in-one 5000 with configuration: ‘using vulnerable BVMS version’
    • CVE-2020-6785
  • Bosch DIVAR IP all-in-one 7000 with configuration: ‘using vulnerable BVMS version’
    • CVE-2020-6785
  • Bosch IP Helper <= 1.00.0008
    • CVE-2020-6771
  • Bosch Monitor Wall <= 10.00.0164
    • CVE-2020-6789
  • Bosch Video Client <= 1.7.6.079
    • CVE-2020-6787
  • Bosch Video Recording Manager 3.71 and older
    • CVE-2020-6786
  • Bosch Video Recording Manager 3.81 <= 3.81.0064
    • CVE-2020-6786
  • Bosch Video Recording Manager 3.82 <= 3.82.0055
    • CVE-2020-6786
  • Bosch Video Streaming Gateway <= 6.45.10
    • CVE-2020-6790

Solution and Mitigations

Software Updates

The recommended approach is to update the affected Bosch software applications to a fixed version. If an update is not available, users are recommended to follow the mitigations and workarounds described in the following section.

Please note that for affected installers, potential exploitation is limited to the time of installation. For future (re)installations, using an updated installer or applying the workarounds outlined in this advisory is recommended.

General system configuration

Non-installed software (e.g. installers themselves and portable applications) should not be executed from directories, which are accessible by other users, or directories, where potentially malicious DLLs could be located (e.g. the default “Downloads” directory).

Installers and portable applications have no point of reference for a “known good directory/binaries”. The potential impact for these kinds of software depends on the directory from which an installer or portable application is loaded (“AppDir”):

  • Default “Downloads” directory: Malicious binaries may reside in a user’s default Downloads folder due to prior user interaction (e.g. clicking on a malicious download link, visiting a site which manages to execute a drive-by-download) and could be loaded by an executable. As a mitigation, users are recommended to move executables from the Downloads directory to new separated directories not accessible by other users and only start the executables from there.
    In general, we recommend not to execute installers or other applications directly from the default Downloads directory and not to accept unsolicited download prompts in a browser.

  • Directories where multiple low-privileged users have access to: If such a directory is not created by the software itself (e.g. a temporary directory during installation time), this is essentially an unprotected Installation Directory and therefore a vulnerable system configuration. We strongly recommend not to place executables into a directory where other low-privileged users have write permissions.
    Please note that user-created directories under C: (e.g. C:\MyNewFolder ) would inherit write permissions for all users and are therefore strongly discouraged.

Vulnerability Details

CVE-2020-6771

CVE description: Loading a DLL through an Uncontrolled Search Path Element in Bosch IP Helper up to and including version 1.00.0008 potentially allows an attacker to execute arbitrary code on a victim’s system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same application directory as the portable IP Helper application.

CVE-2020-6785

CVE description: Loading a DLL through an Uncontrolled Search Path Element in Bosch BVMS and BVMS Viewer in versions 10.1.0, 10.0.1, 10.0.0 and 9.0.0 and older potentially allows an attacker to execute arbitrary code on a victim’s system. This affects both the installer as well as the installed application. This also affects Bosch DIVAR IP 7000 R2, Bosch DIVAR IP all-in-one 5000 and Bosch DIVAR IP all-in-one 7000 with installers and installed BVMS versions prior to BVMS 10.1.1.

CVE-2020-6786

CVE description: Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Recording Manager installer up to and including version 3.82.0055 for 3.82, up to and including version 3.81.0064 for 3.81 and 3.71 and older potentially allows an attacker to execute arbitrary code on a victim’s system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

CVE-2020-6787

CVE description: Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Client installer up to and including version 1.7.6.079 potentially allows an attacker to execute arbitrary code on a victim’s system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

CVE-2020-6788

CVE description: Loading a DLL through an Uncontrolled Search Path Element in the Bosch Configuration Manager installer up to and including version 7.21.0078 potentially allows an attacker to execute arbitrary code on a victim’s system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

CVE-2020-6789

CVE description: Loading a DLL through an Uncontrolled Search Path Element in the Bosch Monitor Wall installer up to and including version 10.00.0164 potentially allows an attacker to execute arbitrary code on a victim’s system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

CVE-2020-6790

CVE description: Calling an executable through an Uncontrolled Search Path Element in the Bosch Video Streaming Gateway installer up to and including version 6.45.10 potentially allows an attacker to execute arbitrary code on a victim’s system. A prerequisite is that the victim is tricked into placing a malicious exe in the same directory where the installer is started from.

Remark

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 30 Mar 2021: Version of DIP-72 Patch Installer changed from 1.0.1 to 1.0.2
  • 24 Mar 2021: Initial Publication

Appendix

Affected Software

BVMS (CVE-2020-6785)

Affected versions Name of version to fix the vulnerability
10.1.0
BVMS 10.1.1 Technical Update
10.0.1
BVMS 10.0.2 Technical Update
10.0.0
BVMS 10.0.2 Technical Update
9.0.0 and older
Deprecated (please upgrade BVMS to the latest version)

BVMS Download Area

BVMS Viewer (CVE-2020-6785)

Affected versions Name of version to fix the vulnerability
10.1.0
BVMS 10.1.1 Technical Update
10.0.1
BVMS 10.0.2 Technical Update
10.0.0
BVMS 10.0.2 Technical Update
9.0.0 and older
Deprecated (please upgrade BVMS to the latest version)

BVMS Viewer Download Area

VRM Installer (CVE-2020-6786)

Affected versions Name of version to fix the vulnerability
03.82.0055 - 64 bit
MasterInstaller_VRM_03.82.0057_64-Bit.exe
03.81.0064 - 64 bit
MasterInstaller_VRM_03.81.0067_64-Bit.exe
03.81.0064 - 32 bit
MasterInstaller_VRM_03.81.0067_32-Bit.exe
03.71 and older
Deprecated. For new installations or modifications of an existing installation please use the latest version.

VRM Installer Download Area

IP Helper (CVE-2020-6771)

Affected versions Name of version to fix the vulnerability
1.00.0008 and older
Deprecated. Please use Project Assistant instead.

Bosch Video Client Installer (CVE-2020-6787)

Affected versions Name of version to fix the vulnerability
1.7.6.079 and older
Deprecated. Please use BVMS Viewer instead.

BVMS Viewer Download Area

Bosch Configuration Manager Installer (CVE-2020-6788)

Affected versions Name of version to fix the vulnerability
7.21.0078 and older
Setup_ConfigManager_07.30.0064.exe

Configuration Manager Download Area

Bosch Monitor Wall Installer (CVE-2020-6789)

Affected versions Mitigations
10.00.0164 and older
Please refer to the mitigations described in this advisory.

Monitor Wall Download Area

Bosch Video Streaming Gateway Installer (CVE-2020-6790)

Affected versions Name of version to fix the vulnerability
6.45.10 and older
Deprecated. For new installations or modifications of an existing installation please use the latest version included in BVMS.

BVMS Download Area

Bosch DIVAR IP 7000 R2 (CVE-2020-6785)

Affected BVMS versions Name of version to fix the vulnerability
10.1.0
BVMS 10.1.1 Technical Update plus DIP-71_Patch_Installer_1.0_for_BVMS10.1.1
10.0.1
BVMS 10.1.1 Technical Update plus DIP-71_Patch_Installer_1.0_for_BVMS10.1.1
10.0.0
BVMS 10.1.1 Technical Update plus DIP-71_Patch_Installer_1.0_for_BVMS10.1.1
9.0.0 and older
BVMS 10.1.1 Technical Update plus DIP-71_Patch_Installer_1.0_for_BVMS10.1.1

BVMS Download Area

BVMS Appliances Download Area

Bosch DIVAR IP all-in-one 5000 (CVE-2020-6785)

Affected BVMS versions Name of version to fix the vulnerability
10.1.0
BVMS 10.1.1 Technical Update plus DIP-52_Patch_Installer_1.0.2_for_BVMS10.1.1
10.0.1
BVMS 10.1.1 Technical Update plus DIP-52_Patch_Installer_1.0.2_for_BVMS10.1.1
10.0.0
BVMS 10.1.1 Technical Update plus DIP-52_Patch_Installer_1.0.2_for_BVMS10.1.1
9.0.0
BVMS 10.1.1 Technical Update plus DIP-52_Patch_Installer_1.0.2_for_BVMS10.1.1

BVMS Download Area

BVMS Appliances Download Area

Bosch DIVAR IP all-in-one 7000 (CVE-2020-6785)

Affected BVMS versions Name of version to fix the vulnerability
10.1.0
BVMS 10.1.1 Technical Update plus DIP-72_Patch_Installer_1.0.2_for_BVMS10.1.1
10.0.1
BVMS 10.1.1 Technical Update plus DIP-72_Patch_Installer_1.0.2_for_BVMS10.1.1
10.0.0
BVMS 10.1.1 Technical Update plus DIP-72_Patch_Installer_1.0.2_for_BVMS10.1.1
9.0.0
BVMS 10.1.1 Technical Update plus DIP-72_Patch_Installer_1.0.2_for_BVMS10.1.1

BVMS Download Area

BVMS Appliances Download Area

Material Lists

BVMS

Family Name CTN SAP# Material description
BVMS Professional 10.1
MBV-BPRO-101
F.01U.389.492
License Professional base
BVMS Enterprise 10.1
MBV-BENT-101
F.01U.389.506
License Enterprise base
BVMS Plus 10.1
MBV-BPLU-101
F.01U.389.477
License Plus base
BVMS Viewer 10.1
MBV-BVWR-101
F.01U.389.508
License Viewer base
BVMS Lite16 10.1
MBV-BLIT-101
F.01U.389.465
License Lite base
BVMS Professional 10.0
MBV-BPRO-100
F.01U.362431
License Professional base
BVMS Enterprise 10.0
MBV-BENT-100
F.01U.362432
License Enterprise base
BVMS Plus 10.0
MBV-BPLU-100
F.01U.362445
License Plus base
BVMS Viewer 10.0
MBV-BVWR-100
F.01U.362471
License Viewer base
BVMS Lite 10.0
MBV-BLIT-100
F.01U.362455
License Lite base

VRM Installer

Family Name CTN SAP# Material description
VRM Installer
MVM-BVRM-016
F.01U.166.502
Base Package incl. 16 cameras single-pac

Configuration Manager Installer

Family Name CTN SAP# Material description
Configuration Manager
MFT-CM
F.01U.360.102

Monitor Wall Installer

Family Name CTN SAP# Material description
Monitor Wall
MVS-MW-2D
F.01U.382.735
Monitor Wall license for two displays
Monitor Wall
MVS-MW-4D
F.01U.382.736
Monitor Wall license for four displays

Bosch DIVAR IP 7000 R2

Family Name CTN SAP# Material description
DIVAR IP 7000 R2
DIP-7180-00N
F.01U.314.520
DIVAR IP 7000 2U w/o HDD
DIVAR IP 7000 R2
DIP-7183-4HD
F.01U.314.521
DIVAR IP 7000 2U 4x3TB
DIVAR IP 7000 R2
DIP-7183-8HD
F.01U.314.522
DIVAR IP 7000 2U 8x3TB
DIVAR IP 7000 R2
DIP-7184-4HD
F.01U.314.523
DIVAR IP 7000 2U 4x4TB
DIVAR IP 7000 R2
DIP-7184-8HD
F.01U.314.524
DIVAR IP 7000 2U 8x4TB
DIVAR IP 7000 R2
DIP-71F0-00N
F.01U.314.525
DIVAR IP 7000 3U w/o HDD
DIVAR IP 7000 R2
DIP-71F3-16HD
F.01U.314.526
DIVAR IP 7000 3U 16x3TB
DIVAR IP 7000 R2
DIP-71F4-16HD
F.01U.314.527
DIVAR IP 7000 3U 16x4TB
DIVAR IP 7000 R2
DIP-7186-8HD
F.01U.329.143
DIVAR IP 7000 2U 8x6TB
DIVAR IP 7000 R2
DIP-7188-8HD
F.01U.329.144
DIVAR IP 7000 2U 8x8TB
DIVAR IP 7000 R2
DIP-71F6-16HD
F.01U.329.145
DIVAR IP 7000 3U 16x6TB
DIVAR IP 7000 R2
DIP-71F8-16HD
F.01U.329.146
DIVAR IP 7000 3U 16x8TB
DIVAR IP 7000 R2
DIP-7184-8HD-WAG
F.01U.343.277
DIVAR IP 7000 2U 8x4TB, WAG Kit

Bosch DIVAR IP all-in-one 5000

Family Name CTN SAP# Material description
DIVAR IP all-in-one 5000
DIP-5240IG-00N
F.01U.361.821
Management Appliance w/o HDD
DIVAR IP all-in-one 5000
DIP-5244IG-4HD
F.01U.362.424
Management Appliance 4x4TB
DIVAR IP all-in-one 5000
DIP-5248IG-4HD
F.01U.362.423
Management Appliance 4x8TB
DIVAR IP all-in-one 5000
DIP-524CIG-4HD
F.01U.362.422
Management Appliance 4x12TB
DIVAR IP all-in-one 5000
DIP-5240GP-00N
F.01U.359.551
Management Appliance GPU wo HD
DIVAR IP all-in-one 5000
DIP-5244GP-4HD
F.01U.359.552
Management Appliance GPU 4x4TB
DIVAR IP all-in-one 5000
DIP-5248GP-4HD
F.01U.359.553
Management Appliance GPU 4x8TB
DIVAR IP all-in-one 5000
DIP-524CGP-4HD
F.01U.359.554
Management Appliance GPU 4x12TB

Bosch DIVAR IP all-in-one 7000

Family Name CTN SAP# Material description
DIVAR IP all-in-one 7000
DIP-7280-00N
F.01U.362.591
2U Management Appliance w/o HD
DIVAR IP all-in-one 7000
DIP-7284-8HD
F.01U.362.592
2U Management Appliance 8x4TB
DIVAR IP all-in-one 7000
DIP-7288-8HD
F.01U.362.593
2U Management Appliance 8x8TB
DIVAR IP all-in-one 7000
DIP-728C-8HD
F.01U.362.594
2U Management Appliance 8x12TB
DIVAR IP all-in-one 7000
DIP-72G0-00N
F.01U.362.595
3U Management Appliance wo HDD
DIVAR IP all-in-one 7000
DIP-72G8-16HD
F.01U.362.596
3U Management Appliance 16x8TB
DIVAR IP all-in-one 7000
DIP-72GC-16HD
F.01U.362.597
3U Management Appliance 16x12T