Bosch VDOO 2018 Vulnerability

•Published Dec 20, 2018 16:34 PM

Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new vulnerability, including:

Bosch Vulnerability Details
Impact of Vulnerability
Bosch's Response

Those interested should see our details on other vulnerabilities disclosed by VDOO, including:

And see IPVM's Cybersecurity Vulnerability Directory.

Bosch ************* *******

*** ************* ** ***** *.*/** ** it ****** ************ ****** **** ********* via * ****** ********, ********* ***** IP ******* ******** **** ******** *.** but ***** **** *.**. ***** ******* of *** ************* **** *** *** been ********. **** *** ****** **** they **** *** ******* ** ** when **** **** ** ******* * proof ** *******. *********** ************* *********** ***** *** ***** ******** ******* to ****** ***** *** *******.

Impact ** *************

** ******* *** ************* ******* ****** is ********. *********** **** ************* ******** an ******** ******* ********* ** ***** firmware, *** ********** *** ************* **** requires ************* ******. ***** *** ********* ** known ********* *******.

***** ******* ****** ** ******* ***** ******* ******** (*.**), ***** ******* **** *************. **** vulnerability *** ********** ** ******** ****. Versions ***** ** *.** *** *** affected.

***** ******* ***** ***********-***** ************** *** not ******** (******* ** *****'* ******** advisory), ****** **** ** **** **** complex **** ****** ******** ******** *** most ***** ** *** ****** ************.

Updated: ***** ********

***** *********** * ******** ******** ********* *** ********, ********* *******, *** resolution. ***** *** **** *************** ************ ******* **** *************, *** **** **** have **** ******** ***** *** ********* roles ***** *** ************* ** **** can ****** *********** *** ***********.

***** **** ******** *** ********* ******:

** **** ******** ******** ******* ** our ** (*.**.****, *.**.****, *.**.****) ** our ********* *** *** ****** ** migrate ** * ****** ** ********, ***** ********* ** ******* ***** may **** ** ** ********** *******/*********** efforts **** ***.

First ***** ** ****** *************

* ****** ************* **************** ** ***** ******** *** ***** IP *******.

Bosch ****** **** ** ***********

***** **** ** *** ***** ********* vulnerability *** ***** ** ******* *** while ** ** ******* *** ********* it ** ** *******, ***** ******* are ******** **** ** ****-******** ************ such *********** ** *** ** *** Europe. ** ****, ***** *** ** especially **** ************** ** ****** **** there *** ** ***************.

Comments (6)

Undisclosed #1

•Dec 20, 2018

This (IMO) from the linked report is valuable info:

Certificate Based Authentication (Device)

Starting with Release 6.40.0240, the “unauthenticated” aspect of the vulnerability can be mitigated to “authenticated” by enabling certificate-based authentication, then executing additional hardening steps. After an initial certificate authentication setup, additional hardening is mandatory for secure operation: Disable port 80, disable HSTS-redirect, and disable password authentication. This enforces the webserver to demand a valid client-certificate during the initial TLS-Handshake.

Using certificate-based authentication makes it near impossible for unauthorized persons to exploit the device, even if exposed to the public internet. Thus, unlike the Hik magic string vulnerability where anyone with network access to the device could exploit it, you can effectively secure the Bosch camera without having to tinker with firewalls, VPNs, etc. Of course, this requires the client accessing the camera also support certificate-based authentication.

This appears to be an exploit of Bosch's RCP+ API, most likely some form of extra-long-string attack, as they mentioned buffer overflow, and not hard-coded credentials or API weaknesses that expose privileged information to attackers.

Reactions:

(3)

(2)

Undisclosed Manufacturer #2

•Dec 20, 2018

“This vulnerability was introduced in November 2016”.

Do you mean 2018?

Reactions:

John Scanlan

•Dec 20, 2018

IPVM • IPVMU Certified

In reply to Undisclosed Manufacturer #2

Sorry if that was not clear. The vulnerability was introduced to the firmware in November 2016. Even though the vulnerability was there for a couple of years it was not discovered until 2018.

Reactions:

(4)

Undisclosed #3

•Dec 24, 2018

"affecting Bosch IP cameras with firmware 6.32 or higher"

But I assume the new firmware that fixes this is higher than 6.32? The above implies the only fix is to downrev a device.

Reactions:

John Honovich

•Dec 24, 2018

IPVM

In reply to Undisclosed #3

I've edited that sentence for clarity - "affecting Bosch IP cameras starting with firmware 6.32 but fixed with 6.60".

Note: we do mention in the next section:

Bosch cameras should be updated to the lastest firwmare (6.60), which removes this vulnerability. This vulnerability was introduced in November 2016.

Reactions:

John Scanlan

•Jan 03, 2019

IPVM • IPVMU Certified

Bosch contacted us with an update on their response to the vulnerability:

We have released multiple version of our FW (6.51.0028, 6.50.0133, 6.44.0027) so our customers are not forced to migrate to a higher FW versions, which otherwise in certain cases may lead to do additional testing/integration efforts with VMS.

Reactions: