Headline
CVE-2023-28175: Unrestricted SSH port forwarding in BVMS
Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request.
Advisory Information
- Advisory ID: BOSCH-SA-025794-BT
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2023-28175
- Base Score: 7.1 (High)
- CVE-2023-28175
- Published: 24 May 2023
- Last Updated: 24 May 2023
Summary
The Bosch Video Management System is using SSH server that does not restrict a port forwarding requested by an authenticated SSH client. An authenticated SSH client can request a connection which is forwarded by the BVMS SSH server to a resource within the trusted internal network, which is normally protected from the WAN interface. The resource can be beyond the scope of the Bosch Video Management System.
Affected Products
- Bosch BVMS
- CVE-2023-28175
- Version(s): 7.5 - 11.1.1 (including)
- CVE-2023-28175
- Bosch BVMS Viewer
- CVE-2023-28175
- Version(s): 7.5 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP 3000
- CVE-2023-28175
- Version(s): 7.5 - 8.0 (including)
- CVE-2023-28175
- Bosch DIVAR IP 7000 R1
- CVE-2023-28175
- Version(s): 7.5 - 8.0 (including)
- CVE-2023-28175
- Bosch DIVAR IP 7000 R2
- CVE-2023-28175
- Version(s): 7.5 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 5000
- CVE-2023-28175
- Version(s): 9.0 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 7000
- CVE-2023-28175
- Version(s): 9.0 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 7000 R3
- CVE-2023-28175
- Version(s): 10.1.1 - 11.1.1 (including)
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 4000
- CVE-2023-28175
- Version(s): 11.1.1
- CVE-2023-28175
- Bosch DIVAR IP all-in-one 6000
- CVE-2023-28175
- Version(s): 11.1.1
- CVE-2023-28175
Solution and Mitigations****Software Updates
The recommended approach is to update the software to a fixed version as soon as possible. Please check the Appendix for a list of updated versions for each affected product.
Secure Network Resources
It is advised to secure network infrastructure to prevent the BVMS SSH server from accessing resources that do not belong to the BVMS system. Network administrators should implement the following recommendations in conjunction with laws, regulations, and industry best practices:
Segment and segregate networks.
Harden BVMS SSH host by turning off unnecessary services.
Monitor the network and review logs.
Validate hardware integrity.
Vulnerability Details****CVE-2023-28175
CVE description: Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request.
- Problem Type:
- CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
- CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
- Base Score: 7.1 (High)
Remarks****Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] BVMS Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMS
- [2] BVMS Viewer Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMSVWR
- [3] BVMS Appliances (DIVAR IP) Download Area: https://downloadstore.boschsecurity.com/?type=DIPBVMS
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: [email protected] .
Revision History
- 24 May 2023: Initial Publication
Appendix****Fixes for the Affected Products****BVMS
Affected versions
Version or patch that fixes the vulnerability
11.1.1
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
11.1.0
Upgrade to 11.1.1 and apply patch
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
11.0
BVMS11001025_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
BVMS Download Area
BVMS Viewer
Affected versions
Version or patch that fixes the vulnerability
11.1.1
BVMS111165_VWR_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
11.1.0
Upgrade to 11.1.1 and apply patch
BVMS111165_VWR_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
11.0
BVMS11001025_VWR_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
BVMS Viewer Download Area
Bosch DIVAR IP all-in-one 7000 R3
Affected BVMS versions
Version or patch that fixes the vulnerability
11.1.1
DIP-73_Installer_for_BVMS11.1.1_MR1.zip or
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip
11.0
DIP-73_Installer_for_BVMS11.0_MR2.zip
BVMS Appliances Download Area
Bosch DIVAR IP 7000 R2
Affected BVMS versions
Version or patch that fixes the vulnerability
11.1.1
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
11.0
BVMS11001025_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
BVMS Download Area
Bosch DIVAR IP all-in-one 5000
Affected BVMS versions
Version or patch that fixes the vulnerability
11.1.1
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
11.0
BVMS11001025_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
BVMS Download Area
Bosch DIVAR IP all-in-one 7000
Affected BVMS versions
Version or patch that fixes the vulnerability
11.1.1
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
11.0
BVMS11001025_Patch_SecuritySSHOCcrash_405734,393486,339917,336777.zip
BVMS Download Area
DIVAR IP all-in-one 4000
Affected BVMS versions
Version or patch that fixes the vulnerability
11.1.1
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip
BVMS Appliances Download Area
DIVAR IP all-in-one 6000
Affected BVMS versions
Version or patch that fixes the vulnerability
11.1.1
BVMS111165_Patch_SecurityOCmaxSSHbandwidth_405734,393949,393486.zip
in BVMS_11.1.1_Patches_SystemManager_package_1.1.zip
BVMS Appliances Download Area
Material Lists****BVMS
Family Name
CTN
SAP#
Material description
BVMS Professional 11.1.1
MBV-BPRO
F.01U.393.647
License Professional base
BVMS Plus 11.1.1
MBV-BPLU
F.01U.393.650
License Plus base
BVMS Plus 11.1.1 DIP
MBV-BPLU-DIP
F.01U.374.503
License Plus base for DIVAR IP
BVMS Viewer 11.1.1
MBV-BVWR
F.01U.393.649
License Viewer base
BVMS Lite 11.1.1
MBV-BLIT
F.01U.393.648
License Lite base
BVMS Lite 11.1.1 DIP
MBV-BLIT-DIP
F.01U.358.975
License Lite base for DIVAR IP
BVMS Professional 11.1
MBV-BPRO
F.01U.393.647
License Professional base
BVMS Plus 11.1
MBV-BPLU
F.01U.393.650
License Plus base
BVMS Plus 11.1 DIP
MBV-BPLU-DIP
F.01U.374.503
License Plus base for DIVAR IP
BVMS Viewer 11.1
MBV-BVWR
F.01U.393.649
License Viewer base
BVMS Lite 11.1
MBV-BLIT
F.01U.393.648
License Lite base
BVMS Lite 11.1 DIP
MBV-BLIT-DIP
F.01U.358.975
License Lite base for DIVAR IP
BVMS Professional 11.0
MBV-BPRO
F.01U.393.647
License Professional base
BVMS Plus 11.0
MBV-BPLU
F.01U.393.650
License Plus base
BVMS Plus 11.0 DIP
MBV-BPLU-DIP
F.01U.374.503
License Plus base for DIVAR IP
BVMS Viewer 11.0
MBV-BVWR
F.01U.393.649
License Viewer base
BVMS Lite 11.0
MBV-BLIT
F.01U.393.648
License Lite base
BVMS Lite 11.0 DIP
MBV-BLIT-DIP
F.01U.358.975
License Lite base for DIVAR IP
Bosch DIVAR IP 7000 R2
Family Name
CTN
SAP#
Material description
DIVAR IP 7000 R2
DIP-7180-00N
F.01U.314.520
DIVAR IP 7000 2U w/o HDD
DIVAR IP 7000 R2
DIP-7183-4HD
F.01U.314.521
DIVAR IP 7000 2U 4x3TB
DIVAR IP 7000 R2
DIP-7183-8HD
F.01U.314.522
DIVAR IP 7000 2U 8x3TB
DIVAR IP 7000 R2
DIP-7184-4HD
F.01U.314.523
DIVAR IP 7000 2U 4x4TB
DIVAR IP 7000 R2
DIP-7184-8HD
F.01U.314.524
DIVAR IP 7000 2U 8x4TB
DIVAR IP 7000 R2
DIP-71F0-00N
F.01U.314.525
DIVAR IP 7000 3U w/o HDD
DIVAR IP 7000 R2
DIP-71F3-16HD
F.01U.314.526
DIVAR IP 7000 3U 16x3TB
DIVAR IP 7000 R2
DIP-71F4-16HD
F.01U.314.527
DIVAR IP 7000 3U 16x4TB
DIVAR IP 7000 R2
DIP-7186-8HD
F.01U.329.143
DIVAR IP 7000 2U 8x6TB
DIVAR IP 7000 R2
DIP-7188-8HD
F.01U.329.144
DIVAR IP 7000 2U 8x8TB
DIVAR IP 7000 R2
DIP-71F6-16HD
F.01U.329.145
DIVAR IP 7000 3U 16x6TB
DIVAR IP 7000 R2
DIP-71F8-16HD
F.01U.329.146
DIVAR IP 7000 3U 16x8TB
DIVAR IP 7000 R2
DIP-7184-8HD-WAG
F.01U.343.277
DIVAR IP 7000 2U 8x4TB, WAG Kit
Bosch DIVAR IP all-in-one 5000
Family Name
CTN
SAP#
Material description
DIVAR IP all-in-one 5000
DIP-5240IG-00N
F.01U.361.821
Management Appliance w/o HDD
DIVAR IP all-in-one 5000
DIP-5244IG-4HD
F.01U.362.424
Management Appliance 4x4TB
DIVAR IP all-in-one 5000
DIP-5248IG-4HD
F.01U.362.423
Management Appliance 4x8TB
DIVAR IP all-in-one 5000
DIP-524CIG-4HD
F.01U.362.422
Management Appliance 4x12TB
DIVAR IP all-in-one 5000
DIP-5240GP-00N
F.01U.359.551
Management Appliance GPU wo HD
DIVAR IP all-in-one 5000
DIP-5244GP-4HD
F.01U.359.552
Management Appliance GPU 4x4TB
DIVAR IP all-in-one 5000
DIP-5248GP-4HD
F.01U.359.553
Management Appliance GPU 4x8TB
DIVAR IP all-in-one 5000
DIP-524CGP-4HD
F.01U.359.554
Management Appliance GPU 4x12TB
Bosch DIVAR IP all-in-one 7000
Family Name
CTN
SAP#
Material description
DIVAR IP all-in-one 7000
DIP-7280-00N
F.01U.362.591
2U Management Appliance w/o HD
DIVAR IP all-in-one 7000
DIP-7284-8HD
F.01U.362.592
2U Management Appliance 8x4TB
DIVAR IP all-in-one 7000
DIP-7288-8HD
F.01U.362.593
2U Management Appliance 8x8TB
DIVAR IP all-in-one 7000
DIP-728C-8HD
F.01U.362.594
2U Management Appliance 8x12TB
DIVAR IP all-in-one 7000
DIP-72G0-00N
F.01U.362.595
3U Management Appliance wo HDD
DIVAR IP all-in-one 7000
DIP-72G8-16HD
F.01U.362.596
3U Management Appliance 16x8TB
DIVAR IP all-in-one 7000
DIP-72GC-16HD
F.01U.362.597
3U Management Appliance 16x12T
DIVAR IP all-in-one 7000 R3
Family Name
CTN
SAP#
Material description
DIVAR IP all-in-one 7000
DIP-7380-00N
F.01U.385.539
Management appliance 2U without HD
DIVAR IP all-in-one 7000
DIP-7384-8HD
F.01U.385.540
Management appliance 2U 8X4TB
DIVAR IP all-in-one 7000
DIP-7388-8HD
F.01U.385.541
Management appliance 2U 8X8 TB
DIVAR IP all-in-one 7000
DIP-738C-8HD
F.01U.385.542
Management appliance 2U 8X12 TB
DIVAR IP all-in-one 7000
DIP-73G0-00N
F.01U.385.543
Management appliance 3U without HD
DIVAR IP all-in-one 7000
DIP-73G8-16HD
F.01U.385.544
Management appliance 3U 16X8TB
DIVAR IP all-in-one 7000
DIP-73GC-16HD
F.01U.385.545
Management appliance 3U 16X12 TB
DIVAR IP all-in-one 4000
Family Name
CTN
SAP#
Material description
DIVAR IP all-in-one 4000
DIP-4420IG-00N
F.01U.404.040
Management appliance w/o HDD
DIVAR IP all-in-one 4000
DIP-4424IG-2HD
F.01U.404.041
Management appliance 2x4TB
DIVAR IP all-in-one 4000
DIP-4428IG-2HD
F.01U.404.042
Management appliance 2x8TB
DIVAR IP all-in-one 4000
DIP-442IIG-2HD
F.01U.404.043
Management appliance 2x18TB
DIVAR IP all-in-one 6000
Family Name
CTN
SAP#
Material description
DIVAR IP all-in-one 6000
DIP-6440IG-00N
F.01U.404.045
Management appliance 1U w/o HDD
DIVAR IP all-in-one 6000
DIP-6444IG-4HD
F.01U.404.046
Management appliance 1U 4x4TB
DIVAR IP all-in-one 6000
DIP-6448IG-4HD
F.01U.404.047
Management appliance 1U 4x8TB
DIVAR IP all-in-one 6000
DIP-644IIG-4HD
F.01U.404.048
Management appliance 1U 4x18TB