Remote Code Execution in RTS VLink Virtual Matrix

Advisory Information

• Advisory ID: BOSCH-SA-893251-BT
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2023-34999
    • Base Score: 8.4 (High)
• Published: 30 Aug 2023
• Last Updated: 30 Aug 2023

Summary

A security vulnerability has been uncovered in the admin interface of the RTS VLink Virtual Matrix Software. The vulnerability will allow a Remote Code Execution (RCE) attack.

Versions v5 (< 5.7.6) and v6 (< 6.5.0) of the RTS VLink Virtual Matrix Software are affected by this vulnerability. Older versions are not affected.

The vulnerability has been uncovered and disclosed responsibly by an external team of researchers.

Affected Products

• RTS VLink Virtual Matrix Software on: Windows
  • CVE-2023-34999
    • Version(s): 5.0.0 - 5.7.6 (excluding)
    • Version(s): 6.0.0 - 6.5.0 (excluding)

Solution and Mitigations

Solution

Update the VLink Virtual Matrix Software to version 5.7.6 if you are currently using a v5 version.

Update the VLink Virtual Matrix Software to version 6.5.0 if you are currently using a v6 version.

To ensure the security of your system, we strongly recommend that you update your software to the latest version. Instructions for downloading and updating your system may be found at https://products.rtsintercoms.com/binary/VLink_Upgrade_Instructions.pdf

Mitigations

If updating is not possible it is strongly advised to change the admin password of the RTS VLink Virtual Matrix Software if it is still set to the default password.

Blocking the web interface ports (80 and 443) of the RTS VLink Virtual Matrix Software in a firewall will prevent the vulnerability from being misused from a remote location.

In all cases it is still strongly advised to perform the update as soon as possible since that will remove the vulnerability.

Vulnerability Details

CVE-2023-34999

CVE description: A command injection vulnerability exists in RTS VLink Virtual Matrix Software Versions v5 (< 5.7.6) and v6 (< 6.5.0) that allows an attacker to perform arbitrary code execution via the admin web interface.

• Problem Type:
  • CWE-94 Improper Control of Generation of Code (‘Code Injection’)
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
  • Base Score: 8.4 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] VLink Upgrade Instructions: https://products.rtsintercoms.com/binary/VLink_Upgrade_Instructions.pdf
• [2] VLink Software version 5.7.6: https://products.rtsintercoms.com/binary/VLink_Virtual_Matrix_v576_230729.zip
• [3] VLink Software version 6.5.0: https://products.rtsintercoms.com/binary/VLink_Virtual_Matrix_v650_230811.zip

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 30 Aug 2023: Initial Publication

Appendix

Material List

Please find the SAP Number and CTN of the affected products below.