02 July 2021

KLCERT-21-030: Robert Bosch GmbH CPP HD/MP cameras. Improper Input Validation in Web service application

Vendor

Robert Bosch GmbH

Researcher

Andrey Muravitsky, Senior Security Researcher, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    02 July 2021

  • Robert Bosch GmbH published the advisory

    09 June 2021

  • Vulnerability reported

    30 April 2021

Description

Kaspersky ICS CERT has discovered that the web service of the Robert Bosch GmbH CPP HD/MP cameras does not correctly parse the HTTP protocol.
Scope
Scope changed

Exploitability

⚠ Remotely exploitable: a victim must have a network access to ports 80/TCP or 443/TCP of the camera

Attack complexity

⚠ Low skill level to exploit

Privilege required

⚠ No privileges required

User interaction

User interaction required: the user must follow the attacker’s malicious link

Impact

⚠ Improper validation of the user’s data input allows an attacker to inject arbitrary HTTP headers through specially crafted URLs.

Affected products

  • CPP4 HD/MP IP cameras:
    • All firmware versions before 7.10.0095
  • CPP6 UHD/MP IP cameras:
    • 7.60 – All firmware build versions
    • 7.61 – All firmware build versions
    • 7.62 – All firmware build versions before 7.62.0005
    • 7.70 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0129
  • CPP7 UHD/MP IP cameras:
    • 7.60 – All firmware build versions
    • 7.61 – All firmware build versions
    • 7.62 – All firmware build versions before 7.62.0005
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0129
  • CPP7.3 HD/MP IP cameras:
    • 7.60 – All firmware build versions
    • 7.61 – All firmware build versions
    • 7.62 – All firmware build versions before 7.62.0005
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0129
  • CPP13 INTEOX IP cameras:
    • All firmware versions before 7.75.0008
  • AVIOTEC IP cameras:
    • 7.61 – All firmware build versions
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions before 7.72.0013

Mitigation

Robert Bosch GmbH mitigation

Software Updates: The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigations and workarounds described in the following section.

Secure Configuration Environment: It is advised to use a Bosch tool like the Configuration Manager to configure the camera, that does not allow for issues like CSRF and XSS.

When using the web based configuration interface and currently being logged in as administrator, some security precautions can be taken to mitigate XSS and CSRF vulnerabilities:

  • No other websites or email content should be opened as long as the session to the camera is active
  • No links should be clicked from an untrusted external source that link back to the camera.
  • Use a different browser than the system default browser to open a session to the camera as there is no XSS or CSRF between browsers.
  • Always log out and/or close the browser (not only the tab) to clear any session data

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    02 July 2021

  • Robert Bosch GmbH published the advisory

    09 June 2021

  • Vulnerability reported

    30 April 2021