Deserialization of Untrusted Data in Bosch BVMS Mobile Video Service

Advisory Information

• Advisory ID: BOSCH-SA-885551-BT
• CVE Numbers and Scores:
  • CVE-2020-6770
    • Base Score: 10.0 (Critical)
• Published: 29 Jan 2020
• Last Updated: 29 Jan 2020

Summary

A recently discovered security vulnerability affects the BVMS Mobile Video Service (BVMS MVS). The vulnerability is exploitable via the network interface. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 10.0 (Critical) and recommends customers to update the vulnerable components with fixed software versions.

The vulnerability was discovered during internal product tests.

Affected Products

• Bosch BVMS Mobile Video Service <= 7.5
• Bosch BVMS Mobile Video Service <= 8.0.0.329 with configuration: ‘patch for security issue 243748 not installed’
• Bosch BVMS Mobile Video Service <= 9.0.0.827 with configuration: ‘patch for security issue 243748 not installed’
• Bosch BVMS Mobile Video Service <= 10.0.0.1225 with configuration: ‘patch for security issue 243748 not installed’
• Bosch DIVAR IP 3000 with configuration: ‘vulnerable BVMS MVS version installed’
• Bosch DIVAR IP 7000 with configuration: ‘vulnerable BVMS MVS version installed’

Solution and Mitigations

Software Updates

The recommended approach is to update the software of affected Bosch products to a fixed version. If an update is not possible in a timely manner, the mitigation approach Firewalling can be utilized. Additional protective steps like network isolation by VLAN, IP filtering features of the devices and other technologies can be used to further decrease the exposure of vulnerable devices. A list of affected and fixed software versions is available in [1] .

Firewalling (Network)

It is advised to block the inbound TCP ports 5383, 5384 and 5385. The TCP ports 5383, 5384 and 5385 must be open only for the loopback interface.

Vulnerability Details

CVE-2020-6770

Attacks can be performed over the network, no physical access is required. An attacker can leverage this vulnerability to execute arbitrary code.

The vulnerable component is the BVMS Mobile Video Service. The impacted component is the entire server system, where BVMS Mobile Video Service is running.

Successful attack can have confidentiality, integrity and availability impacts.

• Problem Type:
  • CWE-502 Deserialization of Untrusted Data
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Base Score: 10.0 (Critical)

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Appendix: Affected Products - Software, Hardware and Fixed Versions: https://psirt.bosch.com/security-advisories/BOSCH-SA-885551-BT.html#appendix
• [2] Bosch Building Technologies Security Advisory Page: https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html
• [3] BVMS Download Store: https://downloadstore.boschsecurity.com/index.php?type=BVMS

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 29 Jan 2020: Initial Publication