Product: ======== AEC 2.1.9.0 AEC 2.1.9.1 AEC 2.1.9.2 AEC 2.1.9.3 AEC 2.1.9.4 AEC 2.1.9.5 Order numbers of the product: - APC-AEC21-UPS1 - ASL-AEC21-SWK Date: ===== 18 October 2021 Problem: ======== A recently discovered security vulnerability in this product allows an unauthenticated attacker to cause an application crash (Denial of Service / DoS). If protected by a firewall the attack is limited to local signed-in users. Details can be found in CVE-2021-23859 at https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html Bosch rates the vulnerability for this product with CVSSv3.1 base scores from 5.5 (Medium), where the actual rating depends on the final rating on the customer’s environment. Mitigation: =========== In this README file we describe a patching process to replace a binary file on your installed system with a file that fixes the vulnerability. Future versions of this product will have this patch included and do not require manual patching. Customers are strongly advised to consider this patching procedure or migrate their system to a higher version when available. Disallowing connections to Port 40080 - 40099 TCP to the software / appliance by means of a firewall prevents the attacker from accessing the vulnerable interface. Patch files: ============ The patch can be downloaded from https://downloadstore.boschsecurity.com/index.php Select "Software" and "Access Easy Controller". Download the file AEC-CVE-2021-23859.zip The ZIP file contains: - README-AEC-CVE-2021-23859.txt (this file) - vj_generic.dll (File version 6.40.54.0) Update procedure: ================= If you are using Bosch Camera with AEC panel, then follow the procedure to resolve the security vulnerability. - Apply the latest ActiveX/VideoSDK patch version 6.32.0099 -2.0.0.4, refer the below links. - https://resources-boschsecurity-cdn.azureedge.net/public/software/AEC_Software_AEC2.1_Video_plugins_version_6.32.0099___2.0.0.4_Readme_all_69339314187.pdf - https://resources-boschsecurity-cdn.azureedge.net/public/software/AEC_Software_AEC_all_69339317771.zip - After successful installation of ActiveX/VideoSDK patch, do the following at all the AEC client PC. - Close the Internet Explorer(IE) browsers - Open file explorer - Navigate to: "C:\Program Files (x86)\Bosch\VideoSDK6\bin\Bosch.VideoSDK5.BVIP" folder - Rename vj_generic.dll to vj_generic.dll_old - Copy the vj_generic.dll from the zip file into this folder - Open IE and use it. Impress: ======== Bosch Security Systems B.V. Torenallee 49 5617 BA, Eindhoven