Unauthenticated Certificate Access in Video Recording Manager

Published

2019-05-22 00:00:00 UTC

Summary

BOSCH-SA-804652-BT: A recently discovered security vulnerability affects the Bosch Video Recording Manager (VRM) software. The VRM software is commonly installed as a component in Bosch Video Management Systems (BVMS) and included in DIVAR IP 5000 devices. The vulnerability potentially allows unauthenticated access to a limited subset of certificates. The affected certificates are stored in the operating systems certificate store. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 9.9 (Critical) and recommends customers to update vulnerable components with fixed software versions. As of 2019 May 9th, updated firmware files are published on the Bosch Download Store [2] . As of 2019 May 9th, there is currently no indication that the vulnerability is either publicly known or utilized. If a software update is not possible in a timely manner, a reduction in the systems network exposure is advised. Internet-accessible systems should be firewalled. Additional protective steps like network isolation by VLAN, IP filtering features of the devices and other technologies can be used to further decrease the exposure of vulnerable devices. The vulnerability was discovered during internal product tests.