NVD Vulnerability Detail

CVE-2020-6769

Summary	Missing Authentication for Critical Function in the Bosch Video Streaming Gateway (VSG) allows an unauthenticated remote attacker to retrieve and set arbitrary configuration data of the Video Streaming Gateway. A successful attack can impact the confidentiality and availability of live and recorded video data of all cameras configured to be controlled by the VSG as well as the recording storage associated with the VSG. This affects Bosch Video Streaming Gateway versions 6.45 <= 6.45.08, 6.44 <= 6.44.022, 6.43 <= 6.43.0023 and 6.42.10 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable VSG version is installed with BVMS. This affects Bosch DIVAR IP 2000 <= 3.62.0019 and DIVAR IP 5000 <= 3.80.0039 if the corresponding port 8023 has been opened in the device's firewall.
Publication Date	Feb. 8, 2020, 5:15 a.m.
Registration Date	Jan. 26, 2021, noon
Last Update	Nov. 21, 2024, 2:36 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:bosch:video_streaming_gateway::::::::	6.44	6.44.022
cpe:2.3:a:bosch:video_streaming_gateway::::::::	6.43	6.43.0023
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.42.10
cpe:2.3:a:bosch:video_streaming_gateway::::::::	6.45	6.45.08

Configuration4		or higher	or less	more than	less than
cpe:2.3:a:bosch:video_streaming_gateway::::::::			6.42.10
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.43	6.43.0023
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.44	6.44.022
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.45	6.45.08
execution environment
1	cpe:2.3:h:bosch:divar_ip_3000:-:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:a:bosch:video_streaming_gateway::::::::			6.42.10
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.43	6.43.0023
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.44	6.44.022
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.45	6.45.08
execution environment
1	cpe:2.3:h:bosch:divar_ip_7000:-:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:a:bosch:video_streaming_gateway::::::::			6.42.10
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.43	6.43.0023
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.44	6.44.022
cpe:2.3:a:bosch:video_streaming_gateway::::::::		6.45	6.45.08
execution environment
1	cpe:2.3:h:bosch:divar_ip_all-in-one_5000:-:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	https://psirt.bosch.com/security-advisories/BOSCH-SA-260625-BT.html		Patch Vendor Advisory
2	https://psirt.bosch.com/security-advisories/BOSCH-SA-260625-BT.html		Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-306	重要な機能に対する認証の欠如解説	https://cwe.mitre.org/data/definitions/306.html

JVN Vulnerability Information

複数の Bosch 製品における重要な機能に対する認証の欠如に関する脆弱性

Title	複数の Bosch 製品における重要な機能に対する認証の欠如に関する脆弱性
Summary	複数の Bosch 製品には、重要な機能に対する認証の欠如に関する脆弱性が存在します。
Possible impacts	情報を取得される、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 29, 2020, midnight
Registration Date	Feb. 28, 2020, 11:25 a.m.
Last Update	Feb. 28, 2020, 11:25 a.m.

Affected System

Robert Bosch GmbH

DIVAR IP 2000 ファームウェア

DIVAR IP 5000 ファームウェア

Video Streaming Gateway (VSG)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-6769	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6769
National Vulnerability Database (NVD)
2	CVE-2020-6769	https://nvd.nist.gov/vuln/detail/CVE-2020-6769

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-306	https://cwe.mitre.org/data/definitions/306.html

ベンダー情報

No	Name	URL
Bosch PSIRT
1	BOSCH-SA-260625-BT	https://psirt.bosch.com/security-advisories/BOSCH-SA-260625-BT.html

Change Log

No	Changed Details	Date of change
1	[2020年02月28日] 掲載	Feb. 28, 2020, 11:25 a.m.