Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-23862: Multiple Vulnerabilities in Bosch BT software products

A crafted configuration packet sent by an authenticated administrative user can be used to execute arbitrary commands in system context. This issue also affects installations of the VRM, DIVAR IP, BVMS with VRM installed, the VIDEOJET decoder (VJD-7513 and VJD-8000).

CVE
#xss#vulnerability#web#dos#php#rce#auth#sap

Advisory Information

  • Advisory ID: BOSCH-SA-043434-BT
  • CVE Numbers and CVSS v3.1 Scores:
    • CVE-2021-23859
      • Base Score: 9.1 (Critical)
    • CVE-2021-23860
      • Base Score: 5.0 (Medium)
    • CVE-2021-23861
      • Base Score: 6.5 (Medium)
    • CVE-2021-23862
      • Base Score: 7.2 (High)
  • Published: 08 Dec 2021
  • Last Updated: 08 Dec 2021

Summary

A recently discovered security vulnerability allows an unauthenticated attacker to cause an application to crash (Denial of Service / DoS) and for the VRM opens the possibility to send unauthenticated commands for a short time (this vulnerability is rated critical).

The VRM, DIVAR IP and BVMS with VRM are also affected by three additional vulnerabilities ranging from high to medium, allowing an authenticated remote code execution, a stored cross site scripting and access to an extended debug page.

The VIDEOJET decoder (VJD-7513 and VJD-8000) are affected by one high vulnerability (authenticated remote code execution)

For more details please see the description of the vulnerabilities in this advisory.

Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.1 (Critical) to 5.0 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.

Customers are strongly advised to update to the fixed versions or consider listed mitigation.

Affected Products

  • Bosch AEC <= 2.9.1.x
    • CVE-2021-23859
  • Bosch APE <= 3.8.x.x
    • CVE-2021-23859
  • Bosch BIS <= 4.7
    • CVE-2021-23859
  • Bosch BIS <= 4.8
    • CVE-2021-23859
  • Bosch BIS <= 4.9
    • CVE-2021-23859
  • Bosch BVMS <= 9.0.0
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch BVMS 10.0 < 10.0.2
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch BVMS 10.1 < 10.1.1
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch BVMS 11.0 < 11.0.0
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch DIVAR IP 7000 R2 with configuration: ‘using vulnerable BVMS version’
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch DIVAR IP all-in-one 5000 with configuration: ‘using vulnerable BVMS or VRM version’
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch DIVAR IP all-in-one 7000 with configuration: ‘using vulnerable BVMS or VRM version’
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch VJD-7513 <= 10.22.0038
    • CVE-2021-23862
  • Bosch VJD-8000 <= 10.01.0036
    • CVE-2021-23862
  • Bosch VRM <= 3.81
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch VRM 3.82 <= 3.82.0057
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch VRM 3.83 <= 3.83.0021
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch VRM 4.0 <= 4.00.0070
    • CVE-2021-23859
    • CVE-2021-23860
    • CVE-2021-23861
    • CVE-2021-23862
  • Bosch VRM Exporter 2.1 <= 2.10.0008
    • CVE-2021-23859

Solution and Mitigations****Software Updates

The recommended approach is to update the affected Bosch software to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigation described in the following section.

Firewalling

For CVE-2021-23859 disallowing connections to Port 40080 - 40099 TCP to the software / appliance by means of a firewall prevents the attacker from accessing the vulnerable interface. If protected by a firewall the attack is limited to local signed-in users.

Vulnerability Details****CVE-2021-23859

CVE description: An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash.

In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service.

On some products the interface is only local accessible lowering the CVSS base score.

For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter

Modified CVSS Scores for CVE-2021-23859

  • Problem Type:
    • CWE-703 Improper Check or Handling of Exceptional Conditions
  • CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
    • Base Score: 9.1 (Critical)

CVE-2021-23860

CVE description: An error in a page handler of the VRM may lead to a reflected cross site scripting (XSS) in the web-based interface. To exploit this vulnerability an attack must be able to modify the HTTP header that is sent.

This issue also affects installations of the DIVAR IP and BVMS with VRM installed.

  • Problem Type:
    • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
    • Base Score: 5.0 (Medium)

CVE-2021-23861

CVE description: By executing a special command, an user with administrative rights can get access to extended debug functionality on the VRM allowing an impact on integrity or availability of the installed software.

This issue also affects installations of the DIVAR IP and BVMS with VRM installed.

  • Problem Type:
    • CWE-489 Active Debug Code
  • CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
    • Base Score: 6.5 (Medium)

CVE-2021-23862

CVE description: A crafted configuration packet sent by an authenticated administrative user can be used to execute arbitrary commands in system context.

This issue also affects installations of the VRM, DIVAR IP, BVMS with VRM installed, the VIDEOJET decoder (VJD-7513 and VJD-8000).

  • Problem Type:
    • CWE-20 Improper Input Validation
  • CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • Base Score: 7.2 (High)

Remark

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

  • [1] Software Updates: https://downloadstore.boschsecurity.com
  • [2] BVMS Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMS
  • [3] BVMS Viewer Download Area: https://downloadstore.boschsecurity.com/index.php?type=BVMSVWR
  • [4] BVMS Appliances (DIVAR IP) Download Area: https://downloadstore.boschsecurity.com/?type=DIPBVMS
  • [5] VRM Download Area: https://downloadstore.boschsecurity.com/index.php?type=VRM
  • [6] VJD Download Area: https://downloadstore.boschsecurity.com/index.php?type=DEC
  • [7] APE Download Area: https://downloadstore.boschsecurity.com/index.php?type=APE
  • [8] AEC Download Area: https://downloadstore.boschsecurity.com/index.php?type=AEC
  • [9] BIS Download Area: https://downloadstore.boschsecurity.com/index.php?type=BIS

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: [email protected] .

Revision History

  • 08 Dec 2021: Initial Publication

Appendix****Modified CVSS Scores for CVE-2021-23859

On some products the affected port is protected by a firewall, lowering the CVSS score or it is only possible to cause a Denial of Service (DoS), also lowering the original score. This table shows the individual score for each product

Affected Software****BVMS

Affected versions

Name of version to fix the vulnerability

11.0.0.1025

BVMS: BVMS11001025_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_04.01.0012_64-Bit.zip

10.1.1.12

BVMS: BVMS101112_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_03.83.0045_64-Bit.zip

10.0.2.13

BVMS: BVMS100213_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_03.82.0069_64-Bit.zip

9.0.0.827 and older

Deprecated (please upgrade to the latest version)

BVMS Download Area

BVMS Viewer

Affected versions

Name of version to fix the vulnerability

11.0.0.1025

BVMS11001025_VWR_Patch_SecurityIssue_350403.zip

10.1.1.12

BVMS101112_VWR_Patch_SecurityIssue_350403.zip

10.0.2.13

BVMS100213_VWR_Patch_SecurityIssue_350403.zip

9.0.0.827 and older

Deprecated (please upgrade to the latest version)

BVMS Viewer Download Area

Video Recording Manager (VRM)

Affected versions

Name of version to fix the vulnerability

04.00.0070

MasterInstaller_VRM_04.01.0012_64-Bit.zip

03.83.0021

MasterInstaller_VRM_03.83.0045_64-Bit.zip

03.82.0057

MasterInstaller_VRM_03.82.0069_64-Bit.zip

03.81 and older

Deprecated (please upgrade to the latest version)

VRM Installer Download Area

VRM Exporter

Affected versions

Name of version to fix the vulnerability

02.10.0008

Setup_VRM_eXporter_Wizard_02.11.0014.exe

(included in VRM Installer Package)

VRM Installer Download Area

Bosch DIVAR IP all-in-one 7000 R3

Affected BVMS versions

Name of version to fix the vulnerability

11.0.0.1025

DIP-73_Installer_for_BVMS11.0_MR1.zip

10.1.1.12

DIP-73_Installer_for_BVMS10.1.1_MR1.zip

BVMS Download Area

BVMS Appliances Download Area

Bosch DIVAR IP 7000 R2

Affected BVMS versions

Name of version to fix the vulnerability

11.0.0.1025

BVMS: BVMS11001025_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_04.01.0012_64-Bit.zip

10.1.1.12

BVMS: BVMS101112_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_03.83.0045_64-Bit.zip

10.0.2.13

BVMS: BVMS100213_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_03.82.0069_64-Bit.zip

9.0.0 and older

Deprecated (please upgrade to the latest version)

BVMS Download Area

BVMS Appliances Download Area

Bosch DIVAR IP all-in-one 5000

Affected BVMS versions

Name of version to fix the vulnerability

11.0.0.1025

BVMS: BVMS11001025_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_04.01.0012_64-Bit.zip

10.1.1.12

BVMS: BVMS101112_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_03.83.0045_64-Bit.zip

10.0.2.13

BVMS: BVMS100213_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_03.82.0069_64-Bit.zip

9.0.0

Deprecated (please upgrade to the latest version)

BVMS Download Area

BVMS Appliances Download Area

Bosch DIVAR IP all-in-one 7000

Affected BVMS versions

Name of version to fix the vulnerability

11.0.0.1025

BVMS: BVMS11001025_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_04.01.0012_64-Bit.zip

10.1.1.12

BVMS: BVMS101112_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_03.83.0045_64-Bit.zip

10.0.2.13

BVMS: BVMS100213_Patch_SecurityIssue_350403.zip
VRM: MasterInstaller_VRM_03.82.0069_64-Bit.zip

9.0.0

Deprecated (please upgrade to the latest version)

BVMS Download Area

BVMS Appliances Download Area

Video Jet Decoder 7000

Affected versions

Name of version to fix the vulnerability

10.22.0038

VJD-7513_FW_10.23.0002.zip

VJD Installer Download Area

Video Jet Decoder 8000

Affected versions

Name of version to fix the vulnerability

10.01.0036

VJD-8000_FW_10.05.0001.zip

VJD Installer Download Area

Bosch Easy Access Controller (AEC)

Affected AEC versions

Name of version to fix the vulnerability

2.1.9.x

AEC-CVE-2021-23859.zip

AEC Download Area

Bosch Access Professional Edition (APE)

Affected APE versions

Name of version to fix the vulnerability

3.8.x.x (with Video functionality enabled only)

APE-CVE-2021-23859.zip

APE Download Area

Bosch Building Integration System (BIS)

Affected BIS versions

Name of version to fix the vulnerability

4.7

BIS-CVE-2021-23859.zip

4.8

BIS-CVE-2021-23859.zip

4.9

BIS-CVE-2021-23859.zip

BIS Download Area

Material Lists****BVMS

Family Name

CTN

SAP#

Material description

BVMS Professional 11.0

MBV-BPRO

F.01U.393.647

License Professional base

BVMS Plus 11.0

MBV-BPLU

F.01U.393.650

License Plus base

BVMS Viewer 11.0

MBV-BVWR

F.01U.393.649

License Viewer base

BVMS Lite 11.0

MBV-BLIT

F.01U.393.648

License Lite base

BVMS Professional 10.1

MBV-BPRO-101

F.01U.389.492

License Professional base

BVMS Enterprise 10.1

MBV-BENT-101

F.01U.389.506

License Enterprise base

BVMS Plus 10.1

MBV-BPLU-101

F.01U.389.477

License Plus base

BVMS Viewer 10.1

MBV-BVWR-101

F.01U.389.508

License Viewer base

BVMS Lite16 10.1

MBV-BLIT-101

F.01U.389.465

License Lite base

BVMS Professional 10.0

MBV-BPRO-100

F.01U.362431

License Professional base

BVMS Enterprise 10.0

MBV-BENT-100

F.01U.362432

License Enterprise base

BVMS Plus 10.0

MBV-BPLU-100

F.01U.362445

License Plus base

BVMS Viewer 10.0

MBV-BVWR-100

F.01U.362471

License Viewer base

BVMS Lite 10.0

MBV-BLIT-100

F.01U.362455

License Lite base

Video Recording Manager (VRM)

Family Name

CTN

SAP#

Material description

VRM

MVM-BVRM-016

F.01U.166.502

Base Package incl. 16 cameras single-pac

Bosch DIVAR IP 7000 R2

Family Name

CTN

SAP#

Material description

DIVAR IP 7000 R2

DIP-7180-00N

F.01U.314.520

DIVAR IP 7000 2U w/o HDD

DIVAR IP 7000 R2

DIP-7183-4HD

F.01U.314.521

DIVAR IP 7000 2U 4x3TB

DIVAR IP 7000 R2

DIP-7183-8HD

F.01U.314.522

DIVAR IP 7000 2U 8x3TB

DIVAR IP 7000 R2

DIP-7184-4HD

F.01U.314.523

DIVAR IP 7000 2U 4x4TB

DIVAR IP 7000 R2

DIP-7184-8HD

F.01U.314.524

DIVAR IP 7000 2U 8x4TB

DIVAR IP 7000 R2

DIP-71F0-00N

F.01U.314.525

DIVAR IP 7000 3U w/o HDD

DIVAR IP 7000 R2

DIP-71F3-16HD

F.01U.314.526

DIVAR IP 7000 3U 16x3TB

DIVAR IP 7000 R2

DIP-71F4-16HD

F.01U.314.527

DIVAR IP 7000 3U 16x4TB

DIVAR IP 7000 R2

DIP-7186-8HD

F.01U.329.143

DIVAR IP 7000 2U 8x6TB

DIVAR IP 7000 R2

DIP-7188-8HD

F.01U.329.144

DIVAR IP 7000 2U 8x8TB

DIVAR IP 7000 R2

DIP-71F6-16HD

F.01U.329.145

DIVAR IP 7000 3U 16x6TB

DIVAR IP 7000 R2

DIP-71F8-16HD

F.01U.329.146

DIVAR IP 7000 3U 16x8TB

DIVAR IP 7000 R2

DIP-7184-8HD-WAG

F.01U.343.277

DIVAR IP 7000 2U 8x4TB, WAG Kit

Bosch DIVAR IP all-in-one 5000

Family Name

CTN

SAP#

Material description

DIVAR IP all-in-one 5000

DIP-5240IG-00N

F.01U.361.821

Management Appliance w/o HDD

DIVAR IP all-in-one 5000

DIP-5244IG-4HD

F.01U.362.424

Management Appliance 4x4TB

DIVAR IP all-in-one 5000

DIP-5248IG-4HD

F.01U.362.423

Management Appliance 4x8TB

DIVAR IP all-in-one 5000

DIP-524CIG-4HD

F.01U.362.422

Management Appliance 4x12TB

DIVAR IP all-in-one 5000

DIP-5240GP-00N

F.01U.359.551

Management Appliance GPU wo HD

DIVAR IP all-in-one 5000

DIP-5244GP-4HD

F.01U.359.552

Management Appliance GPU 4x4TB

DIVAR IP all-in-one 5000

DIP-5248GP-4HD

F.01U.359.553

Management Appliance GPU 4x8TB

DIVAR IP all-in-one 5000

DIP-524CGP-4HD

F.01U.359.554

Management Appliance GPU 4x12TB

Bosch DIVAR IP all-in-one 7000

Family Name

CTN

SAP#

Material description

DIVAR IP all-in-one 7000

DIP-7280-00N

F.01U.362.591

2U Management Appliance w/o HD

DIVAR IP all-in-one 7000

DIP-7284-8HD

F.01U.362.592

2U Management Appliance 8x4TB

DIVAR IP all-in-one 7000

DIP-7288-8HD

F.01U.362.593

2U Management Appliance 8x8TB

DIVAR IP all-in-one 7000

DIP-728C-8HD

F.01U.362.594

2U Management Appliance 8x12TB

DIVAR IP all-in-one 7000

DIP-72G0-00N

F.01U.362.595

3U Management Appliance wo HDD

DIVAR IP all-in-one 7000

DIP-72G8-16HD

F.01U.362.596

3U Management Appliance 16x8TB

DIVAR IP all-in-one 7000

DIP-72GC-16HD

F.01U.362.597

3U Management Appliance 16x12T

DIVAR IP all-in-one 7000 R3

Family Name

CTN

SAP#

Material description

DIVAR IP all-in-one 7000

DIP-7380-00N

F.01U.385.539

Management appliance 2U without HD

DIVAR IP all-in-one 7000

DIP-7384-8HD

F.01U.385.540

Management appliance 2U 8X4TB

DIVAR IP all-in-one 7000

DIP-7388-8HD

F.01U.385.541

Management appliance 2U 8X8 TB

DIVAR IP all-in-one 7000

DIP-738C-8HD

F.01U.385.542

Management appliance 2U 8X12 TB

DIVAR IP all-in-one 7000

DIP-73G0-00N

F.01U.385.543

Management appliance 3U without HD

DIVAR IP all-in-one 7000

DIP-73G8-16HD

F.01U.385.544

Management appliance 3U 16X8TB

DIVAR IP all-in-one 7000

DIP-73GC-16HD

F.01U.385.545

Management appliance 3U 16X12 TB

VIDEOJET decoder 7000 (VJD-7000)

Family Name

CTN

SAP#

Material description

VJD-7000

VJD-7513

F.01U.345.382

High-performance H.265 UHD decoder

VIDEOJET decoder 8000 (VJD-8000)

Family Name

CTN

SAP#

Material description

VJD-8000

VJD-8000

F.01U.313.822

VJD-8000 Decoder, H.264 bis 8MP, 60bps

VJD-8000

VJD-8000-N

F.01U.314.681

VJD-8000-N Decoder, H.264 zu 8MP, 60bps, kein TPM

Bosch Easy Access Controller (AEC)

Family Name

CTN

SAP#

Material description

Access Easy Controller 2.1

APC-AEC21-UPS1

F.01U.100.385

AEC2.1 Main Enclosure, PSU1

Access Easy Controller 2.1

ASL-AEC21-SWK

F.01U.100.391

Software Kit with Compact Flash Card

Bosch Access Professional Edition (APE)

Family Name

CTN

SAP#

Material description

Access PE

ASL-APE3P-VIDB

F.01U.298.465

Access PE - Video Activation License

Access PE

ASL-APE3P-VIDE

F.01U.298.466

Access PE - Video Expansion License

Bosch Building Integration System (BIS)

Family Name

CTN

SAP#

Material description

BIS - Video Engine (VIE) 4.7

BIS-FVIE-BPA47

F.01U.381.802

License for the BIS Video Engine (VIE) within BIS

BIS - Video Engine (VIE) 4.8

BIS-FVIE-BPA48

F.01U.388.192

License for the BIS Video Engine (VIE) within BIS

BIS - Video Engine (VIE) 4.9

BIS-FVIE-BPA49

F.01U.395.631

License for the BIS Video Engine (VIE) within BIS

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907