Uncontrolled Search Path Element in Multiple Bosch Products

Published

2021-03-24 00:00:00 UTC

Summary

BOSCH-SA-835563-BT: Multiple Bosch software applications are affected by a security vulnerability, which potentially allows an attacker to load additional code in the form of DLLs (commonly known as "DLL Hijacking" or "DLL Preloading"). This code is executed during the start of the vulnerable application and in the context of the user. Bosch rates these vulnerabilities with a CVSS v3.1 Base Score of 7.8 (High) and recommends customers to use updated installers for (re)installations and to use updated versions of portable applications. For BVMS and BVMS Viewer, customers are recommended to completely update the installed product to the latest version as not only the installer, but also parts of the products themselves are affected by the vulnerability. If a software update is not provided, customers are recommended to follow the mitigations and workarounds described in this advisory. The Bosch IP Helper vulnerability was discovered and disclosed to Bosch by the external researcher Nir Yehoshua. The vulnerability in the Bosch Video Client Installer was discovered and disclosed to Bosch by the external researcher Eli Paz of CyberArk. The vulnerability in the Bosch Monitor Wall Installer and Bosch Video Streaming Gateway Installer was discovered and disclosed to Bosch by the external researcher Dhiraj Mishra.