Possible damage of secure element in Bosch IP cameras
BOSCH-SA-435698-BT
Advisory Information
- Advisory ID: BOSCH-SA-435698-BT
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2023-32229
- Base Score: 4.9 (Medium)
- CVE-2023-32229
- Published: 31 May 2023
- Last Updated: 31 May 2023
Summary
Due to an error in the software interface to the secure element chip on the cameras, the chip can be permanently damaged leading to an unusable camera when enabling the Stream security option (signing of the video stream) on Bosch CPP13 and CPP14 cameras. The default setting for this option is "off".
Affected Products
- Bosch Camera Firmware on: CPP13
- CVE-2023-32229
- Version(s): < 8.48
- CVE-2023-32229
- Bosch Camera Firmware on: CPP14
- CVE-2023-32229
- Version(s): 8.50 - 8.72 (including)
- CVE-2023-32229
Solution and Mitigations
Software Updates
The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in a timely manner, users are recommended to follow the mitigations and workarounds described in the following section. The versions to fix this issue are listed in the Advisory Appendix.
A reboot of the camera is required after uploading the update.
The version of the firmware should be checked after the update to confirm successful installation e.g. in the web based interface (Services - System Overview)
Increase Signature Interval
The default value for the signature interval is 1 second. Increasing the signature interval to 30 seconds will mitigate the problem without decreasing security of the signing process. During verification process of the video it might take longer for the signature to be verified. After installing the fixed version the interval can be set to 1 second again.
Disable Signature
Disabling this feature will, of course, mitigate this issue, but the video stream will no longer be signed and cannot be verified afterwards. After installing the update the feature can be enabled again.
Vulnerability Details
CVE-2023-32229
CVE description: Due to an error in the software interface to the secure element chip on Bosch IP cameras of family CPP13 and CPP14, the chip can be permanently damaged when enabling the Stream security option (signing of the video stream) with option MD5, SHA-1 or SHA-256.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
- Base Score: 4.9 (Medium)
Remarks
Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 31 May 2023: Initial Publication
Appendix
Fixed Versions
| Camera Family | Version to fix this issue |
|---|---|
|
CPP13
|
8.48.0017
|
|
CPP14
|
8.80.0090
|
Material Lists
Bosch IP camera CPP13
| Family Name | CTN | SAP# |
|---|---|---|
|
AUTODOME inteox 7000i – 2 MP
|
NDP-7602-Z30
NDP-7602-Z30CT NDP-7602-Z30K NDP-7602-Z30-OC |
F.01U.381.159
F.01U.381.160 F.01U.381.162 F.01U.382.880 |
|
AUTODOME 7000i
|
NDP-7602-Z40
|
F.01U.389.322
F.01U.394.938 |
|
AUTODOME 7100i IR - 2MP
|
NDP-7602-Z40L
|
F.01U.389.324
F.01U.394.936 |
|
AUTODOME 7100i IR - 8MP
|
NDP-7604-Z12L
|
F.01U.389.326
F.01U.394.918 |
|
DINION inteox 7100i IR
|
NBE-7604-AL
NBE-7604-AL-OC |
F.01U.394.676
F.01U.386.377 |
|
FLEXIDOME inteox 7100i IR
|
NDE-7604-AL
NDE-7604-AL-OC |
F.01U.394.577
F.01U.386.375 |
|
MIC inteox 7100i - 2MP
|
MIC-7602-Z30B
MIC-7602-Z30BR MIC-7602-Z30W MIC-7602-Z30WR MIC-7602-Z30G MIC-7602-Z30GR |
F.01U.382.403
F.01U.381.145 F.01U.382.404 F.01U.381.146 F.01U.382.405 F.01U.381.147 |
|
MIC inteox 7100i - 2MP OC
|
MIC-7602-Z30BR-OC
MIC-7602-Z30WR-OC MIC-7602-Z30GR-OC |
F.01U.382.397
F.01U.382.398 F.01U.382.399 |
|
MIC inteox 7100i – 8MP
|
MIC-7604-Z12BR
MIC-7604-Z12WR MIC-7604-Z12GR |
F.01U.381.148
F.01U.381.149 F.01U.381.150 |
|
MIC inteox 7100i – 8MP OC
|
MIC-7604-Z12BR-OC
MIC-7604-Z12WR-OC MIC-7604-Z12GR-OC |
F.01U.382.400
F.01U.382.401 F.01U.382.402 |
Bosch IP camera CPP14
| Family Name | CTN | SAP# |
|---|---|---|
|
FLEXIDOME indoor 5100i
|
NDV-5702-A
NDV-5703-A NDV-5704-A |
F.01U.394.427
F.01U.394.429 F.01U.394.454 |
|
FLEXIDOME indoor 5100i IR
|
NDV-5702-AL
NDV-5703-AL NDV-5704-AL |
F.01U.394.428
F.01U.394.430 F.01U.394.455 |
|
FLEXIDOME outdoor 5100i
|
NDE-5702-A
NDE-5703-A NDE-5704-A |
F.01U.394.558
F.01U.394.560 F.01U.394.562 |
|
FLEXIDOME outdoor 5100i IR
|
NDE-5702-AL
NDE-5703-AL NDE-5704-AL |
F.01U.394.559
F.01U.394.561 F.01U.394.563 |
|
FLEXIDOME panoramic 5100i
|
NDS-5703-F360
NDS-5704-F360 |
F.01U.385.628
F.01U.385.629 |
|
FLEXIDOME panoramic 5100i IR
|
NDS-5703-F360LE
NDS-5704-F360LE |
F.01U.385.630
F.01U.385.631 |
|
FLEXIDOME multi 7000i
|
NDM-7702-A
NDM-7703-A |
F.01U.389.262
F.01U.389.263 |
|
FLEXIDOME multi 7000i IR
|
NDM-7702-AL
NDM-7703-AL |
F.01U.389.264
F.01U.389.265 |
|
DINION 7100i IR
|
NBE-7702-ALX
NBE-7703-ALX |
F.01U.390.686
F.01U.390.688 |