Skip to main

Multiple vulnerabilities in Bosch IP cameras

BOSCH-SA-478243-BT

Advisory Information

Summary

Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch.

Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.

Customers are strongly advised to upgrade to the fixed versions.

These vulnerabilities were discovered by Alexander Nochvay and Andrey Muravitsky from Kaspersky ICS CERT.

Affected Products

  • Bosch CPP Firmware on: CPP4, CPP6, CPP7, CPP7.3, CPP13
    • CVE-2021-23848
    • CVE-2021-23852
    • CVE-2021-23853
  • Bosch CPP Firmware 7.62 on: CPP6, CPP7, CPP7.3
    • CVE-2021-23854
  • Bosch CPP Firmware 7.70 on: CPP6, CPP7, CPP7.3
    • CVE-2021-23847
    • CVE-2021-23854
  • Bosch CPP Firmware 7.72 on: CPP6, CPP7, CPP7.3
    • CVE-2021-23847
    • CVE-2021-23854
  • Bosch CPP Firmware 7.75 on: CPP13
    • CVE-2021-23854
  • Bosch CPP Firmware 7.76 on: CPP13
    • CVE-2021-23854
  • Bosch CPP Firmware < 7.80 B128 on: CPP6, CPP7, CPP7.3
    • CVE-2021-23847

Solution and Mitigations

Software Updates

The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigations and workarounds described in the following section.

Platform Affected/revoked firmware Fixed firmware
CPP4
7.10
7.10.0095
CPP6
7.60, 7.61
7.62.0005
7.70, 7.80
7.80.0129
AVIOTEC
7.61, 7.72
7.72.0013
CPP7
7.60, 7.61
7.62.0005
7.70, 7.72, 7.80
7.80.0129
CPP7.3
7.60, 7.61, 7.62
7.62.0005
7.70, 7.72, 7.73, 7.80
7.80.0129
CPP13
7.75
7.75.0008

Firewalling

Disallowing connections from insecure networks to the camera by means of a firewall prevents the attacker from accessing the vulnerable interface.

IP Filtering

The camera has the possibility to whitelist networks or IP addresses to only allow access from trusted networks or IPs, preventing an attacker from accessing the camera.

Using certificate based authentication

To mitigate the critical vulnerability CVE-2021-23847, certificate based user authentication for the camera can be used as the SSL based authentication happens, before the vulnerable component can be accessed. This prevents an unauthenticated attacker from accessing the interface.

Secure Configuration Environment

It is advised to use a Bosch tool like the Configuration Manager to configure the camera, that does not allow for issues like XSS.

When using the web based configuration interface and currently being logged in as administrator, some security precautions can be taken to mitigate XSS vulnerabilities:

  • No other websites or email content should be opened as long as the session to the camera is active

  • No links should be clicked from an untrusted external source that link back to the camera.

  • Use a different browser than the system default browser to open a session to the camera as there is no XSS between browsers.

  • Always log out and/or close the browser (not only the tab) to clear any session data

Vulnerability Details

CVE-2021-23847

CVE description: A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device.

Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.

CVE-2021-23848

CVE description: An error in the URL handler may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user.

CVE-2021-23852

CVE description: An authenticated attacker with administrator rights can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service (DoS).

CVE-2021-23853

CVE description: Improper validation of the HTTP header allows an attacker to inject arbitrary HTTP headers through crafted URLs.

CVE-2021-23854

CVE description: An error in the handling of a page parameter may lead to a reflected cross site scripting (XSS) in the web-based interface.

This issue only affects versions 7.7x and 7.6x. All other versions are not affected.

Remark

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 09 Jun 2021: Correction of build version number of fixed firmware
  • 09 Jun 2021: Initial Publication

Appendix

Affected Plattforms and Cameras

CPP13

  • AUTODOME inteox 7000i

  • MIC inteox 7100i

CPP7.3

  • AUTODOME IP 4000i

  • AUTODOME IP 5000i

  • AUTODOME IP starlight 5000i (IR)

  • AUTODOME IP starlight 7000i

  • DINION IP 3000i

  • DINION IP bullet 4000i

  • DINION IP bullet 5000

  • DINION IP bullet 5000i

  • DINION IP bullet 6000i

  • FLEXIDOME IP 3000i

  • FLEXIDOME IP 4000i

  • FLEXIDOME IP 5000i

  • FLEXIDOME IP starlight 5000i (IR)

  • FLEXIDOME IP starlight 8000i

  • MIC IP starlight 7000i

  • MIC IP starlight 7100i

  • MIC IP ultra 7100i

  • MIC IP fusion 9000i

CPP7

  • DINION IP starlight 6000

  • DINION IP starlight 7000

  • DINION IP thermal 8000

  • FLEXIDOME IP starlight 6000

  • FLEXIDOME IP starlight 7000

  • DINION IP thermal 9000 RM

CPP6

  • DINION IP starlight 8000 12MP

  • DINION IP ultra 8000 12MP

  • DINION IP ultra 8000 12MP with C/CS mount telephoto lens

  • FLEXIDOME IP panoramic 6000 12MP 180

  • FLEXIDOME IP panoramic 6000 12MP 360

  • FLEXIDOME IP panoramic 6000 12MP 180 IVA

  • FLEXIDOME IP panoramic 6000 12MP 360 IVA

  • FLEXIDOME IP panoramic 7000 12MP 180

  • FLEXIDOME IP panoramic 7000 12MP 360

  • FLEXIDOME IP panoramic 7000 12MP 180 IVA

  • FLEXIDOME IP panoramic 7000 12MP 360 IVA

CPP4

  • AUTODOME IP 4000 HD

  • AUTODOME IP 5000 HD

  • AUTODOME IP 5000 IR

  • AUTODOME 7000 series

  • DINION HD 1080p

  • DINION HD 1080p HDR

  • DINION HD 720p

  • DINION imager 9000 HD

  • DINION IP bullet 4000

  • DINION IP bullet 5000

  • DINION IP 4000 HD

  • DINION IP 5000 HD

  • DINION IP 5000 MP

  • DINION IP starlight 7000 HD

  • FLEXIDOME corner 9000 MP

  • FLEXIDOME HD 1080p

  • FLEXIDOME HD 1080p HDR

  • FLEXIDOME HD 720p

  • Vandal-proof FLEXIDOME HD 1080p

  • Vandal-proof FLEXIDOME HD 1080p HDR

  • Vandal-proof FLEXIDOME HD 720p

  • FLEXIDOME IP micro 2000 HD

  • FLEXIDOME IP micro 2000 IP

  • FLEXIDOME IP indoor 4000 HD

  • FLEXIDOME IP indoor 4000 IR

  • FLEXIDOME IP outdoor 4000 HD

  • FLEXIDOME IP outdoor 4000 IR

  • FLEXIDOME IP indoor 5000 HD

  • FLEXIDOME IP indoor 5000 MP

  • FLEXIDOME IP micro 5000 MP

  • FLEXIDOME IP outdoor 5000 HD

  • FLEXIDOME IP outdoor 5000 MP

  • FLEXIDOME IP panoramic 5000

  • IP bullet 4000 HD

  • IP bullet 5000 HD

  • IP micro 2000

  • IP micro 2000 HD

  • MIC IP dynamic 7000

  • MIC IP starlight 7000

  • TINYON IP 2000 family