Bosch VDOO 2018 Vulnerability

By IPVM Team, Published Dec 20, 2018, 11:34am EST

Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new vulnerability, including:

  • Bosch Vulnerability Details
  • Impact of Vulnerability
  • Bosch's Response

Those interested should see our details on other vulnerabilities disclosed by VDOO, including:

And see IPVM's Cybersecurity Vulnerability Directory.

Bosch ************* *******

*** ************* ** ***** 9.4/10 ** ** ****** unauthorized ****** **** ********* via * ****** ********, affecting ***** ** ******* starting **** ******** *.** but ***** **** *.**. Exact ******* ** *** vulnerability **** *** *** been ********. **** *** stated **** **** **** not ******* ** ** when **** **** ** release * ***** ** concept. *********** ************* *********** ***** *** ***** awaiting ******* ** ****** their *** *******.

Impact ** *************

** ******* *** ************* network ****** ** ********. Discovering **** ************* ******** an ******** ******* ********* of ***** ********, *** exploiting *** ************* **** requires ************* ******. ***** *** currently ** ***** ********* devices.

***** ******* ****** ** updated ***** ******* ******** (*.**), ***** ******* **** vulnerability. **** ************* *** introduced ** ******** ****. Versions ***** ** *.** are *** ********.

***** ******* ***** ***********-***** authentication *** *** ******** (details ** *****'* ******** advisory), ****** **** ** much **** ******* **** simply ******** ******** *** most ***** ** *** employ ************.

Updated: ***** ********

***** *********** * ******** ******** ********* *** ********, ********* details, *** **********. ***** has **** *************** ************ ******* **** *************, and says **** **** **** informed ***** *** ********* roles ***** *** ************* so **** *** ****** disseminate *** ***********.

***** **** ******** *** following ******:

** **** ******** ******** version ** *** ** (6.51.0028, *.**.****, *.**.****) ** our ********* *** *** forced ** ******* ** ****** ** ********, ***** ********* ** certain ***** *** **** to ** ********** *******/*********** efforts **** ***.

First ***** ** ****** *************

* ****** ************* **************** ** ***** ******** for ***** ** *******.

Bosch ****** **** ** ***********

***** **** ** *** first ********* ************* *** Bosch ** ******* *** while ** ** ******* how ********* ** ** to *******, ***** ******* are ******** **** ** high-security ************ **** *********** in *** ** *** Europe. ** ****, ***** has ** ********** **** responsibility ** ****** **** there *** ** ***************.

Comments (6)

Undisclosed #1

12/20/18 05:00pm

This (IMO) from the linked report is valuable info:

Certificate Based Authentication (Device)

Starting with Release 6.40.0240, the “unauthenticated” aspect of the vulnerability can be mitigated to “authenticated” by enabling certificate-based authentication, then executing additional hardening steps. After an initial certificate authentication setup, additional hardening is mandatory for secure operation: Disable port 80, disable HSTS-redirect, and disable password authentication. This enforces the webserver to demand a valid client-certificate during the initial TLS-Handshake.

Using certificate-based authentication makes it near impossible for unauthorized persons to exploit the device, even if exposed to the public internet. Thus, unlike the Hik magic string vulnerability where anyone with network access to the device could exploit it, you can effectively secure the Bosch camera without having to tinker with firewalls, VPNs, etc. Of course, this requires the client accessing the camera also support certificate-based authentication.

This appears to be an exploit of Bosch's RCP+ API, most likely some form of extra-long-string attack, as they mentioned buffer overflow, and not hard-coded credentials or API weaknesses that expose privileged information to attackers.

Undisclosed Manufacturer #2

12/20/18 08:07pm

“This vulnerability was introduced in November 2016”.

Do you mean 2018?

Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Undisclosed Manufacturer #2 | 12/20/18 08:20pm

Sorry if that was not clear. The vulnerability was introduced to the firmware in November 2016. Even though the vulnerability was there for a couple of years it was not discovered until 2018.

Undisclosed #3

12/24/18 02:51pm

"affecting Bosch IP cameras with firmware 6.32 or higher"

But I assume the new firmware that fixes this is higher than 6.32?  The above implies the only fix is to downrev a device.

John Honovich

IPVM | In reply to Undisclosed #3 | 12/24/18 02:56pm

I've edited that sentence for clarity - "affecting Bosch IP cameras starting with firmware 6.32 but fixed with 6.60".

Note: we do mention in the next section:

Bosch cameras should be updated to the lastest firwmare (6.60), which removes this vulnerability. This vulnerability was introduced in November 2016.

Avatar

John Scanlan

IPVM | IPVMU Certified | 01/03/19 07:02pm

Bosch contacted us with an update on their response to the vulnerability:

We have released multiple version of our FW (6.51.0028, 6.50.0133, 6.44.0027) so our customers are not forced to migrate to a higher FW versions, which otherwise in certain cases may lead to do additional testing/integration efforts with VMS.

Read this IPVM report for free.

This article is part of IPVM's 6,738 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports