Bosch ************* *******
*** ************* ** ***** 9.4/10 ** ** ****** unauthorized ****** **** ********* via * ****** ********, affecting ***** ** ******* starting **** ******** *.** but ***** **** *.**. Exact ******* ** *** vulnerability **** *** *** been ********. **** *** stated **** **** **** not ******* ** ** when **** **** ** release * ***** ** concept. *********** ************* *********** ***** *** ***** awaiting ******* ** ****** their *** *******.
Impact ** *************
** ******* *** ************* network ****** ** ********. Discovering **** ************* ******** an ******** ******* ********* of ***** ********, *** exploiting *** ************* **** requires ************* ******. ***** *** currently ** ***** ********* devices.
***** ******* ****** ** updated ***** ******* ******** (*.**), ***** ******* **** vulnerability. **** ************* *** introduced ** ******** ****. Versions ***** ** *.** are *** ********.
***** ******* ***** ***********-***** authentication *** *** ******** (details ** *****'* ******** advisory), ****** **** ** much **** ******* **** simply ******** ******** *** most ***** ** *** employ ************.
Updated: ***** ********
***** *********** * ******** ******** ********* *** ********, ********* details, *** **********. ***** has **** *************** ************ ******* **** *************, and says **** **** **** informed ***** *** ********* roles ***** *** ************* so **** *** ****** disseminate *** ***********.
***** **** ******** *** following ******:
** **** ******** ******** version ** *** ** (6.51.0028, *.**.****, *.**.****) ** our ********* *** *** forced ** ******* ** a ****** ** ********, ***** ********* ** certain ***** *** **** to ** ********** *******/*********** efforts **** ***.
First ***** ** ****** *************
* ****** ************* **************** ** ***** ******** for ***** ** *******.
Bosch ****** **** ** ***********
***** **** ** *** first ********* ************* *** Bosch ** ******* *** while ** ** ******* how ********* ** ** to *******, ***** ******* are ******** **** ** high-security ************ **** *********** in *** ** *** Europe. ** ****, ***** has ** ********** **** responsibility ** ****** **** there *** ** ***************.
Comments (6)
Undisclosed #1
This (IMO) from the linked report is valuable info:
Using certificate-based authentication makes it near impossible for unauthorized persons to exploit the device, even if exposed to the public internet. Thus, unlike the Hik magic string vulnerability where anyone with network access to the device could exploit it, you can effectively secure the Bosch camera without having to tinker with firewalls, VPNs, etc. Of course, this requires the client accessing the camera also support certificate-based authentication.
This appears to be an exploit of Bosch's RCP+ API, most likely some form of extra-long-string attack, as they mentioned buffer overflow, and not hard-coded credentials or API weaknesses that expose privileged information to attackers.
Create New Topic
Undisclosed Manufacturer #2
“This vulnerability was introduced in November 2016”.
Do you mean 2018?
Create New Topic
Undisclosed #3
"affecting Bosch IP cameras with firmware 6.32 or higher"
But I assume the new firmware that fixes this is higher than 6.32? The above implies the only fix is to downrev a device.
Create New Topic
John Scanlan
Bosch contacted us with an update on their response to the vulnerability:
Create New Topic