CVE-2023-28175
📋 TL;DR
This vulnerability allows authenticated SSH users on Bosch VMS systems to bypass authorization controls and access internal network resources through port forwarding requests. It affects Bosch VMS versions 11.0, 11.1.0, and 11.1.1, potentially exposing sensitive internal systems to unauthorized access.
💻 Affected Systems
- Bosch Video Management System (VMS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could pivot through the VMS system to access critical internal infrastructure, potentially compromising sensitive systems, exfiltrating data, or launching further attacks from within the trusted network.
Likely Case
An authenticated user with malicious intent could access internal services that should be restricted, potentially viewing sensitive data or interacting with internal systems beyond their authorized scope.
If Mitigated
With proper network segmentation and access controls, the impact would be limited to accessing only non-critical internal resources within the same network segment.
🎯 Exploit Status
Exploitation requires valid SSH credentials and knowledge of port forwarding techniques. The vulnerability is in authorization logic, not authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.1.2
Vendor Advisory: https://psirt.bosch.com/security-advisories/BOSCH-SA-025794-bt.html
Restart Required: Yes
Instructions:
1. Download Bosch VMS 11.1.2 from official Bosch sources. 2. Backup current configuration and data. 3. Install the update following Bosch's installation guide. 4. Restart the VMS server and verify functionality.
🔧 Temporary Workarounds
Disable SSH Access
windowsTemporarily disable SSH access to the VMS server if not required for operations
Disable SSH service in Windows Services or firewall rules
Restrict SSH Users
windowsLimit SSH access to only absolutely necessary administrative accounts
Configure SSH server to only allow specific users/groups
🧯 If You Can't Patch
- Implement strict network segmentation to isolate VMS systems from critical internal resources
- Monitor SSH logs for unusual port forwarding activity and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check VMS version in administration interface or via 'About' dialog. Versions 11.0, 11.1.0, and 11.1.1 are vulnerable.Check Version:
Check VMS version in web interface at https://[vms-server]/ or via Windows Control Panel > Programs and FeaturesVerify Fix Applied:
Verify VMS version shows 11.1.2 or later in administration interface. Test SSH port forwarding with authorized user to confirm restrictions work.📡 Detection & Monitoring
Log Indicators:
- SSH logs showing successful port forwarding requests
- Unusual SSH connections followed by internal network access attempts
Network Indicators:
- Unexpected outbound connections from VMS server to internal systems
- SSH tunnel establishment patterns
SIEM Query:
source="ssh_logs" AND (event="port-forwarding" OR event="tunnel") AND dest_ip IN (internal_subnets)