Home / Advisories / KLCERT advisories / KLCERT-21-014: Robert Bosch GmbH CPP HD/MP cameras. Missing Authentication vulnerability for Critical Functions

KLCERT-21-014: Robert Bosch GmbH CPP HD/MP cameras. Missing Authentication vulnerability for Critical Functions

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

KLCERT-ID KLCERT-21-014
CVE CVE-2021-23847
CWE CWE-306: Missing Authentication vulnerability for Critical Function
Publication date 2021-07-02
Researcher Andrey Muravitsky
Description

Kaspersky ICS CERT has discovered missing authentication vulnerability for execution critical commands by HTTP requests.

Impact

⚠ Missing authentication for critical functions in CPP HD/MP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings by sending specially crafted requests to the devices.

Severity
CVSS v3 Base Score 9.8 (Critical)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability ⚠ Remotely exploitable: network access to ports 80/TCP or 443/TCP is required.
Difficulty ⚠ Low skill level to exploit
Privilege required ⚠ No privileges required
User interaction ⚠ No user interaction required
Affected products
Affected products
  • CPP6 UHD/MP IP cameras:
    • 7.70 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0128
  • CPP7 UHD/MP IP cameras:
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0128
  • CPP7.3 HD/MP IP cameras:
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0128
  • AVIOTEC IP cameras:
    • 7.61 – All firmware build versions
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions before 7.72.0013
Mitigation
Robert Bosch GmbH mitigation

Software Updates: The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigations and workarounds described in the following section.

Firewalling: Disallowing connections from insecure networks to the camera by means of a firewall prevents the attacker from accessing the vulnerable interface.

IP Filtering: The camera has the possibility to whitelist networks or IP addresses to only allow access from trusted networks or IPs, preventing an attacker from accessing the camera.

Using certificate based authentication: To mitigate the critical vulnerability CVE-2021-23847, certificate based user authentication for the camera can be used as the SSL based authentication happens, before the vulnerable component can be accessed. This prevents an unauthenticated attacker from accessing the interface.

Timeline 2021-04-13 – Vulnerability reported
2021-06-09 – Robert Bosch GmbH published the advisory