Bosch PSIRT

Deserialization of Untrusted Data in Bosch BVMS Mobile Video Service

BOSCH-SA-885551-BT

Advisory Information

Summary

A recently discovered security vulnerability affects the BVMS Mobile Video Service (BVMS MVS). The vulnerability is exploitable via the network interface. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 10.0 (Critical) and recommends customers to update the vulnerable components with fixed software versions.

The vulnerability was discovered during internal product tests.

Affected Products

  • Bosch BVMS Mobile Video Service <= 7.5
  • Bosch BVMS Mobile Video Service <= 8.0.0.329 with configuration: ‘patch for security issue 243748 not installed’
  • Bosch BVMS Mobile Video Service <= 9.0.0.827 with configuration: ‘patch for security issue 243748 not installed’
  • Bosch BVMS Mobile Video Service <= 10.0.0.1225 with configuration: ‘patch for security issue 243748 not installed’
  • Bosch DIVAR IP 3000 with configuration: ‘vulnerable BVMS MVS version installed’
  • Bosch DIVAR IP 7000 with configuration: ‘vulnerable BVMS MVS version installed’

Solution and Mitigations

Software Updates

The recommended approach is to update the software of affected Bosch products to a fixed version. If an update is not possible in a timely manner, the mitigation approach Firewalling can be utilized. Additional protective steps like network isolation by VLAN, IP filtering features of the devices and other technologies can be used to further decrease the exposure of vulnerable devices. A list of affected and fixed software versions is available in [1] .

Firewalling (Network)

It is advised to block the inbound TCP ports 5383, 5384 and 5385. The TCP ports 5383, 5384 and 5385 must be open only for the loopback interface.

Vulnerability Details

CVE-2020-6770

Attacks can be performed over the network, no physical access is required. An attacker can leverage this vulnerability to execute arbitrary code.

The vulnerable component is the BVMS Mobile Video Service. The impacted component is the entire server system, where BVMS Mobile Video Service is running.

Successful attack can have confidentiality, integrity and availability impacts.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 29 Jan 2020: Initial Publication

Affected Hardware

DIVAR IP versions Affected versions Name of the patch to fix the vulnerability
DIVAR IP versions
DIVAR IP 3000
Affected versions
See BVMS
Name of the patch to fix the vulnerability
See BVMS
DIVAR IP versions
DIVAR IP 7000
Affected versions
See BVMS
Name of the patch to fix the vulnerability
See BVMS

Affected Software

BVMS versions Affected versions Name of the patch to fix the vulnerability
BVMS versions
10.0
Affected versions
10.0.0.1225
Name of the patch to fix the vulnerability
BVMS10001225_Patch_SecurityIssue_243748.zip
BVMS versions
9.0
Affected versions
9.0.0.827
Name of the patch to fix the vulnerability
BVMS900827_Patch_SecurityIssue_243748.zip
BVMS versions
8.0
Affected versions
8.0.0.329
Name of the patch to fix the vulnerability
BVMS800329_Patch_SecurityIssue_243748.zip
BVMS versions
7.5 and older
Affected versions
Name of the patch to fix the vulnerability
Not provided (please upgrade BVMS to the latest version)