CVE-2019-6958
Improper Access Control for Bosch Video Systems, PSIM and Access Control Systems
Severity Score
9.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as "CWE-284: Improper Access Control." This vulnerability, for example, allows a potential attacker to delete video or read video data.
Una vulnerabilidad de seguridad encontrada recientemente impacta a todas las versiones 9.0 y siguientes de Bosch Video Management System (BVMS), DIVAR IP 2000, 3000, 5000 y 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). El puerto de red RCP+ permite acceso sin autenticación. La adición de la función authentication a la biblioteca correspondiente soluciona el problema. El problema es clasificado como "CWE-284: Improper Access Control". Esta vulnerabilidad, por ejemplo, permite a un potencial atacante eliminar un vídeo o leer datos de un vídeo.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-01-25 CVE Reserved
- 2019-05-29 CVE Published
- 2023-05-08 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Bosch Search vendor "Bosch" | Dip 2000 Firmware Search vendor "Bosch" for product "Dip 2000 Firmware" | < 0380.037 Search vendor "Bosch" for product "Dip 2000 Firmware" and version " < 0380.037" | - |
Affected
| in | Bosch Search vendor "Bosch" | Dip 2000 Search vendor "Bosch" for product "Dip 2000" | - | - |
Safe
|
| Bosch Search vendor "Bosch" | Dip 3000 Firmware Search vendor "Bosch" for product "Dip 3000 Firmware" | - | - |
Affected
| in | Bosch Search vendor "Bosch" | Dip 3000 Search vendor "Bosch" for product "Dip 3000" | - | - |
Safe
|
| Bosch Search vendor "Bosch" | Dip 5000 Firmware Search vendor "Bosch" for product "Dip 5000 Firmware" | < 038.037 Search vendor "Bosch" for product "Dip 5000 Firmware" and version " < 038.037" | - |
Affected
| in | Bosch Search vendor "Bosch" | Dip 5000 Search vendor "Bosch" for product "Dip 5000" | - | - |
Safe
|
| Bosch Search vendor "Bosch" | Dip 7000 Firmware Search vendor "Bosch" for product "Dip 7000 Firmware" | - | - |
Affected
| in | Bosch Search vendor "Bosch" | Dip 7000 Search vendor "Bosch" for product "Dip 7000" | gen1 Search vendor "Bosch" for product "Dip 7000" and version "gen1" | - |
Safe
|
| Bosch Search vendor "Bosch" | Dip 7000 Firmware Search vendor "Bosch" for product "Dip 7000 Firmware" | - | - |
Affected
| in | Bosch Search vendor "Bosch" | Dip 7000 Search vendor "Bosch" for product "Dip 7000" | gen2 Search vendor "Bosch" for product "Dip 7000" and version "gen2" | - |
Safe
|
| Bosch Search vendor "Bosch" | Access Easy Controller Firmware Search vendor "Bosch" for product "Access Easy Controller Firmware" | 2.1.8.5 Search vendor "Bosch" for product "Access Easy Controller Firmware" and version "2.1.8.5" | - |
Affected
| in | Bosch Search vendor "Bosch" | Access Easy Controller Search vendor "Bosch" for product "Access Easy Controller" | - | - |
Safe
|
| Bosch Search vendor "Bosch" | Access Easy Controller Firmware Search vendor "Bosch" for product "Access Easy Controller Firmware" | 2.1.9.0 Search vendor "Bosch" for product "Access Easy Controller Firmware" and version "2.1.9.0" | - |
Affected
| in | Bosch Search vendor "Bosch" | Access Easy Controller Search vendor "Bosch" for product "Access Easy Controller" | - | - |
Safe
|
| Bosch Search vendor "Bosch" | Access Easy Controller Firmware Search vendor "Bosch" for product "Access Easy Controller Firmware" | 2.1.9.1 Search vendor "Bosch" for product "Access Easy Controller Firmware" and version "2.1.9.1" | - |
Affected
| in | Bosch Search vendor "Bosch" | Access Easy Controller Search vendor "Bosch" for product "Access Easy Controller" | - | - |
Safe
|
| Bosch Search vendor "Bosch" | Access Easy Controller Firmware Search vendor "Bosch" for product "Access Easy Controller Firmware" | 2.1.9.3 Search vendor "Bosch" for product "Access Easy Controller Firmware" and version "2.1.9.3" | - |
Affected
| in | Bosch Search vendor "Bosch" | Access Easy Controller Search vendor "Bosch" for product "Access Easy Controller" | - | - |
Safe
|
| Bosch Search vendor "Bosch" | Access Professional Edition Search vendor "Bosch" for product "Access Professional Edition" | >= 3.0 <= 3.7 Search vendor "Bosch" for product "Access Professional Edition" and version " >= 3.0 <= 3.7" | - |
Affected
| ||||||
| Bosch Search vendor "Bosch" | Bosch Video Client Search vendor "Bosch" for product "Bosch Video Client" | < 1.7.6.079 Search vendor "Bosch" for product "Bosch Video Client" and version " < 1.7.6.079" | - |
Affected
| ||||||
| Bosch Search vendor "Bosch" | Bosch Video Management System Search vendor "Bosch" for product "Bosch Video Management System" | <= 9.0 Search vendor "Bosch" for product "Bosch Video Management System" and version " <= 9.0" | - |
Affected
| ||||||
| Bosch Search vendor "Bosch" | Building Integration System Search vendor "Bosch" for product "Building Integration System" | >= 2.2 <= 4.4 Search vendor "Bosch" for product "Building Integration System" and version " >= 2.2 <= 4.4" | - |
Affected
| ||||||
| Bosch Search vendor "Bosch" | Building Integration System Search vendor "Bosch" for product "Building Integration System" | 4.5 Search vendor "Bosch" for product "Building Integration System" and version "4.5" | - |
Affected
| ||||||
| Bosch Search vendor "Bosch" | Building Integration System Search vendor "Bosch" for product "Building Integration System" | 4.6 Search vendor "Bosch" for product "Building Integration System" and version "4.6" | - |
Affected
| ||||||
| Bosch Search vendor "Bosch" | Building Integration System Search vendor "Bosch" for product "Building Integration System" | 4.6.1 Search vendor "Bosch" for product "Building Integration System" and version "4.6.1" | - |
Affected
| ||||||
| Bosch Search vendor "Bosch" | Configuration Manager Search vendor "Bosch" for product "Configuration Manager" | < 6.10 Search vendor "Bosch" for product "Configuration Manager" and version " < 6.10" | - |
Affected
| ||||||
| Bosch Search vendor "Bosch" | Video Sdk Search vendor "Bosch" for product "Video Sdk" | < 6.32.0099 Search vendor "Bosch" for product "Video Sdk" and version " < 6.32.0099" | - |
Affected
| ||||||