Advisory number

Title

Affected Products

Summary

BOSCH-SA-893251-BT

Publication
Date: 
2023-08-30

Remote Code Execution in RTS VLink Virtual Matrix

• RTS VLink Virtual Matrix Software

A security vulnerability has been uncovered in the admin interface of the RTS VLink Virtual Matrix Software. The vulnerability will allow a Remote Code Execution (RCE) attack.

Versions v5 (< 5.7.6) and v6 (< 6.5.0) of the RTS VLink Virtual Matrix Software are affected by this vulnerability. Older versions are not affected.

The vulnerability has been uncovered and disclosed responsibly by an external team of researchers.

BOSCH-SA-247054-BT

Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

• Bosch PRA-ES8P2S < 1.01.10

Multiple vulnerabilities were found in the PRA-ES8P2S Ethernet-Switch. Customers are advised to upgrade to version 1.01.10 since it solves all vulnerabilities listed.

Customers are advised to isolate the switch from the Internet if upgrading is not possible.

The PRA-ES8P2S switch contains technology from the Advantech EKI-7710G series switches.

BOSCH-SA-988400-BT

Update in Cybersecurity Guidebook of BIS on Permission Settings for Network Share

• Bosch BIS

In a recent survey of BIS installations worldwide Bosch identified that for some installations the security settings may not meet our recommended security standards. For this reason, we have updated our "Cybersecurity Guidebook".

Section 4.5 of the Cybersecurity Guidebook describes how to configure access permissions for a shared folder of the BIS installation. In an older version of the Cybersecurity Guidebook, one of the recommended access permissions is wrongly stated as "Network" group instead of "Network Service" group. This information is updated in the new version of the documentation, because executing the earlier instructions may unintentionally grant access permission to potentially unauthorized users.

This is not a software bug, just an update of the documentation targeted at installers. This document is included in BIS installation folder since version BIS 5.0. Previous BIS version do not contain the document, but validating the security setting is generally advised.

BOSCH-SA-839739-BT

Information Disclosure Vulnerability in Bosch IP cameras

• Bosch Camera Firmware

An information disclosure vulnerability was discovered in Bosch IP camera devices allowing an unauthenticated attacker to retrieve information about the device itself (like capabilities) and network settings of the device, disclosing possibly internal network settings if the device is connected to the internet.

This vulnerability was discovered by Souvik Kandar and Arko Dhar from Redinent Innovations, India

BOSCH-SA-435698-BT

Due to an error in the software interface to the secure element chip on the cameras, the chip can be permanently damaged leading to an unusable camera when enabling the Stream security option (signing of the video stream) on Bosch CPP13 and CPP14 cameras. The default setting for this option is "off".

BOSCH-SA-110112-BT

.NET Remote Code Execution Vulnerability in BVMS, BIS and AMS

• Bosch AMS
• Bosch BIS
• Bosch BVMS
• Bosch BVMS Viewer
• Bosch DIVAR IP 7000 R2
• Bosch DIVAR IP all-in-one 5000
• Bosch DIVAR • IP all-in-one 7000
• Bosch DIVAR IP all-in-one 7000 R3
• Bosch DIVAR IP all-in-one 4000
• Bosch DIVAR IP all-in-one 6000

The Bosch Video Management System (BVMS), the Bosch Access Management System (AMS), and the Bosch Building Integration System (BIS) are using a vulnerable version of the Microsoft .NET package System.Text.Encodings.Web.

The System.Text.Encodings.Web is a NuGet package from Microsoft, and Microsoft has published an advisory to provide information about a vulnerability in System.Text.Encodings.Web.

A remote code execution vulnerability exists in System.Text.Encodings.Web due to how text encoding is performed.

BOSCH-SA-391095

Vulnerability in Wiegand card data interpretation

• Bosch AMS
• Bosch BIS

Bosch Access Control products AMC2-4WCF and AMC2-2WCF have a firmware bug which may lead to misinterpretation of access card data that is sent from a Wiegand reader. This may in turn lead to granting physical access to an unauthorized person. This vulnerability affects only products with Wiegand interface, i.e., not devices with OSDP / RS485 interface.

BOSCH-SA-025794-BT

Unrestricted SSH port forwarding in BVMS

• Bosch BVMS
• Bosch BVMS Viewer
• Bosch DIVAR IP 3000
• Bosch DIVAR IP 7000 R1
• Bosch DIVAR IP 7000 R2
• Bosch DIVAR IP all-in-one 5000
• Bosch DIVAR IP all-in-one 7000
• Bosch DIVAR IP all-in-one 7000 R3
• Bosch DIVAR IP all-in-one 4000
• Bosch DIVAR IP all-in-one 6000

The Bosch Video Management System is using SSH server that does not restrict a port forwarding requested by an authenticated SSH client. An authenticated SSH client can request a connection which is forwarded by the BVMS SSH server to a resource within the trusted internal network, which is normally protected from the WAN interface. The resource can be beyond the scope of the Bosch Video Management System.

BOSCH-SA-341298-BT

Insecure authentication in B420 legacy communication module

• Bosch B420

An authentication vulnerability was found in the B420 Ethernet communication module from Bosch Security Systems. This is a legacy product which is currently obsolete and was announced to reach End on Life (EoL) on 2013.  The B420 was last sold in July 2013 and was replaced by the B426. An EoL notice was provided to customers.

The B420 does not allow for direct access to the panel as this module does not allow direct connection to the SDI/Option Bus that communicates directly with the panel. __ However, customers that are still using this device are advised to replace it for the B426 to ensure it is connected in a secure network.