Multiple Vulnerabilities in ProSyst mBS SDK and Bosch IoT Gateway Software

Published

2019-08-19 00:00:00 UTC

Summary

BOSCH-SA-562575: Recently discovered security vulnerabilities affect the ProSyst mBS SDK and Bosch IoT Gateway Software. They potentially allow to access sensitive information, write and delete data on the host system and forge HTTP GET request on behalf of the server via the network interface. Bosch rates these vulnerabilities with CVSSv3 base scores from 9.1 (Critical) to 5.3 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment. Customers are recommended to upgrade to the fixed versions. As of August 19th, 2019, updated releases are available and offered to all customers via customer support or sales. Depending on the major version in use, a previous update has already fixed some of the vulnerabilities. As of August 19th, 2019, there is currently no indication that exploitation code is either publicly known or utilized. The vulnerabilities were discovered and disclosed to Bosch in a coordinated manner by the external researcher Philip Kazmeier.