Skip to main

Command injection vulnerability in Bosch IP Cameras

BOSCH-SA-638184-BT

Advisory Information

  • Advisory ID: BOSCH-SA-638184-BT
  • CVE Numbers and CVSS v3.1 Scores:
  • Published: 13 Dec 2023
  • Last Updated: 13 Dec 2023

Summary

A vulnerability was discovered in Bosch IP cameras of families CPP13 and CPP14, that allows an authenticated user with administrative rights to execute arbitrary commands in the operating system of the camera.

Affected Products

  • Bosch Camera Firmware on: CPP13
    • CVE-2023-39509
      • Version(s): <= 8.90
  • Bosch Camera Firmware on: CPP14
    • CVE-2023-39509
      • Version(s): 8.20 - 8.81 (including)

Solution and Mitigations

Software Updates

The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in a timely manner, users are recommended to follow the mitigations and workarounds described in the following section. The versions to fix this issue are listed in the Advisory Appendix.

A reboot of the camera is required after uploading the update.

The version of the firmware should be checked after the update to confirm successful installation e.g. in the web based interface (Services - System Overview)

General Mitigation Information

To exploit this vulnerability an attacker needs administrative rights on the camera. This can be either achieved e.g. by already having the administrative rights, using insecure passwords or by conducting e.g. a phishing attack.  The security of the accounts with administrative rights should follow security best practices as an example, but not limited to:

Secure Administration

Only trusted users should have access to the administrative interface and common security rules for administrative credentials should be followed (e.g. using strong, unique passwords).

Secure Configuration Environment

It is advised to use a Bosch tool like the Configuration Manager to configure the camera, that does not allow for issues like XSS or CSRF.

When using the web based configuration interface and currently being logged in as administrator, some security precautions can be taken:

  • No other websites or email content should be opened as long as the session to the camera is active

  • No links should be clicked from an untrusted external source that link back to the camera.

  • Use a different browser than the system default browser to open a session to the camera

  • Always log out and/or close the browser (not only the tab) to clear any session data

Vulnerability Details

CVE-2023-39509

CVE description: A command injection vulnerability exists in Bosch IP cameras that allows an authenticated user with administrative rights to run arbitrary commands on the OS of the camera.

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 13 Dec 2023: Initial Publication

Appendix

Fixed Versions

Camera Family Version to fix this issue
CPP13
8.90.0037
CPP14
9.00.0210

Firmware Download

Material Lists

Bosch IP camera CPP13

Family Name CTN SAP#
AUTODOME inteox 7000i – 2 MP
NDP-7602-Z30
NDP-7602-Z30CT
NDP-7602-Z30K
NDP-7602-Z30-OC
F.01U.381.159
F.01U.381.160
F.01U.381.162
F.01U.382.880
AUTODOME 7000i
NDP-7602-Z40
F.01U.389.322
F.01U.394.938
AUTODOME 7100i IR - 2MP
NDP-7602-Z40L
F.01U.389.324
F.01U.394.936
AUTODOME 7100i IR - 8MP
NDP-7604-Z12L
F.01U.389.326
F.01U.394.918
DINION inteox 7100i IR
NBE-7604-AL
NBE-7604-AL-OC
F.01U.394.676
F.01U.386.377
FLEXIDOME inteox 7100i IR
NDE-7604-AL
NDE-7604-AL-OC
F.01U.394.577
F.01U.386.375
MIC inteox 7100i - 2MP
MIC-7602-Z30B
MIC-7602-Z30BR
MIC-7602-Z30W
MIC-7602-Z30WR
MIC-7602-Z30G
MIC-7602-Z30GR
F.01U.382.403
F.01U.381.145
F.01U.382.404
F.01U.381.146
F.01U.382.405
F.01U.381.147
MIC inteox 7100i - 2MP OC
MIC-7602-Z30BR-OC
MIC-7602-Z30WR-OC
MIC-7602-Z30GR-OC
F.01U.382.397
F.01U.382.398
F.01U.382.399
MIC inteox 7100i – 8MP
MIC-7604-Z12BR
MIC-7604-Z12WR
MIC-7604-Z12GR
F.01U.381.148
F.01U.381.149
F.01U.381.150
MIC inteox 7100i –  8MP OC
MIC-7604-Z12BR-OC
MIC-7604-Z12WR-OC
MIC-7604-Z12GR-OC
F.01U.382.400
F.01U.382.401
F.01U.382.402

Bosch IP camera CPP14

Family Name CTN SAP#
FLEXIDOME indoor 5100i
NDV-5702-A
NDV-5703-A
NDV-5704-A
F.01U.394.427
F.01U.394.429
F.01U.394.454
FLEXIDOME indoor 5100i IR
NDV-5702-AL
NDV-5703-AL
NDV-5704-AL
F.01U.394.428
F.01U.394.430
F.01U.394.455
FLEXIDOME outdoor 5100i
NDE-5702-A
NDE-5703-A
NDE-5704-A
F.01U.394.558
F.01U.394.560
F.01U.394.562
FLEXIDOME outdoor 5100i IR
NDE-5702-AL
NDE-5703-AL
NDE-5704-AL
F.01U.394.559
F.01U.394.561
F.01U.394.563
FLEXIDOME panoramic 5100i
NDS-5703-F360
NDS-5704-F360
F.01U.385.628
F.01U.385.629
FLEXIDOME panoramic 5100i IR
NDS-5703-F360LE
NDS-5704-F360LE
F.01U.385.630
F.01U.385.631
FLEXIDOME multi 7000i
NDM-7702-A
NDM-7703-A
F.01U.389.262
F.01U.389.263
FLEXIDOME multi 7000i IR
NDM-7702-AL
NDM-7703-AL
F.01U.389.264
F.01U.389.265
DINION 7100i IR
NBE-7702-ALX
NBE-7703-ALX
F.01U.390.686
F.01U.390.688