Unauthenticated Certificate Access in Video Recording Manager (CVE-2019-11684)

Published

2019-05-08 22:00:00 UTC

Summary

Summary

A recently discovered security vulnerability affects the Bosch Video Recording Manager (VRM) software. The VRM software is commonly installed as a component in Bosch Video Management Systems (BVMS) and included in DIVAR IP 5000 devices. The vulnerability potentially allows unauthenticated access to a limited subset of certificates. The affected certificates are stored in the operating systems certificate store. The vulnerability is exploitable via the network interface. Bosch rates this vulnerability at 9.9 (Critical) and recommends customers to update vulnerable components with fixed software versions.

As of 2019 May 9th, updated firmware files are published on the Bosch Download Store [2]. As of 2019 May 9th, there is currently no indication that the vulnerability is either publicly known or utilized.

If a software update is not possible in a timely manner, a reduction in the systems network exposure is advised. Internet-accessible systems should be firewalled. Additional protective steps like network isolation by VLAN, IP filtering features of the devices and other technologies can be used to further decrease the exposure of vulnerable devices.

The vulnerability was discovered during internal product tests.

Affected Products

Hardware

Bosch DIVAR IP 5000

For Bosch DIVAR IP 5000 the following fixed firmware versions are suggested:

DIVAR IP 5000 versions Vulnerable versions (until and including) Fixed or non-vulnerable firmware versions (and later)
3.62 N/A 3.62 and prior
3.80
3.80.0033
3.80.0035
3.80.0037
3.80.0039


Software

Video Recording Manager (VRM)

For Bosch Video Recording Manager (VRM) the following fixed VRM versions are suggested:

VRM versions Vulnerable versions (until and including) Fixed or non-vulnerable VRM versions (and later)
<=3.62 N/A 3.10, 3.20, 3.21, 3.50, 3.51, 3.55, 3.60, 3.61, 3.62
3.70
3.70.0056
3.70.0058
3.70.0060
3.70.0062
N/A (update to 3.71.0034)
3.71
3.71.0022
3.71.0029
3.71.0031
3.71.0032
3.71.0034
3.81
3.81.0032
3.81.0038
3.81.0048
3.81.0050


Bosch Video Management System (BVMS)

For Bosch Video Management Systems (BVMS) the following fixed VRM versions are suggested:

BVMS versions Vulnerable versions (until and including) Fixed or non-vulnerable VRM versions (and later)
6.0 N/A 3.50
7.0 N/A 3.55
7.5 [sic] N/A 3.60
7.5 [sic]
3.70.0056
3.70.0058
3.70.0060
3.70.0062
3.71.0022
3.71.0029
3.71.0031
3.71.0032
3.71.0034
8.0
9.0
3.81.0032
3.81.0038
3.81.0048
3.81.0050


Solution

Software Updates

The recommended approach is to update the software of affected Bosch products to a fixed version. If an update is not possible in a timely manner, the mitigation approaches Firewalling and IP Filtering can be utilized. A list of affected and fixed software versions is available in the “Affected Hardware” and “Affected Software” chapter of this document.

Mitigations and Workarounds

In case the referenced software patches cannot be applied, e.g. for BVMS versions 7.0 and earlier, before updating to the latest version, the following measures could mitigate the associated risk.

Firewalling (network)

It is advised that the devices should not be exposed directly to the internet or other insecure networks. This includes portforwarding, which would not protect devices adequately. Firewalling a device significantly reduces its attack surface.

IP Filtering (Device)

As an additional supporting measure in shared environments, internal IP filters of BVMS Systems can be activated. This allows the device to whitelist IPs and IP-ranges. IPs not included in these ranges cannot connect, and therefore not exploit this vulnerability.

Vulnerability Details

This vulnerability is classified as “CWE-284: Improper Access Control.” The affected RCP+ server of the VRM component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. The fixed versions implement modified authentication checks. The vulnerability resides in the software from VRM version 3.70. Prior releases of VRM software are considered unaffected.

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] (pdf) Bosch BT Security Advisory
[2] Software updates: Bosch Download Area
[3] (pdf) Bosch Release Letter VRM_3.71.0032
[4] (pdf) Bosch Release Letter VRM_3.81.0050
[5] (pdf) Bosch Release Letter DIP5000
[6] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com.

Revision History

09 May 2019: Initial Publication

Source