Multiple Vulnerabilities in Bosch Smart Home Controller

Published

2019-05-29 00:00:00 UTC

Summary

BOSCH-SA-662084: Recently discovered security vulnerabilities affect the Bosch Smart Home Controller (SHC, “the device”). They potentially allow to obtain elevated privileges, read and write data and perform a denial of service on the device via the network interface. Bosch Smart Home rates these vulnerabilities with CVSSv3 environmental scores from 3.0 (Low) to 7.6 (High), where the actual rating depends on the individual vulnerability, and recommends customers to install updated firmware versions on all devices. As of May 22nd, 2019, an updated firmware file is available and offered to all customers via the existing update mechanism. A previously available update already covered all vulnerabilities in this advisory except CVE-2019-11896. As of May 29th, 2019, there is currently no indication that exploitation code is either publicly known or utilized. The vulnerabilities were discovered and disclosed to Bosch in a coordinated manner by the external researcher Philip Kazmeier.