Home / Advisories / KLCERT advisories / KLCERT-21-032: Robert Bosch GmbH CPP HD/MP cameras. Denial of Service via GET HTTP request

KLCERT-21-032: Robert Bosch GmbH CPP HD/MP cameras. Denial of Service via GET HTTP request

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

KLCERT-ID KLCERT-21-032
CVE CVE-2021-23852
CWE CWE-400: Uncontrolled Resource Consumption
Publication date 2021-07-02
Researcher Alexander Nochvay
Description

Kaspersky ICS CERT discovered a Denial of Service of the device through GET HTTP request to the web server of camera.

Impact

⚠ It is possible to cause a DoS of the camera via specially crafted HTTP GET request to the web interface of CPP HD/MP cameras.

Severity
CVSS v3 Base Score 4.9 (Medium)
Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Exploitability ⚠ Remotely exploitable: network access to ports 80/TCP or 443/TCP is required.
Difficulty ⚠ Low skill level to exploit
Privilege required High privilege level required: an account with “service” privileges is required
User interaction ⚠ No user interaction required
Affected products
Affected products
  • CPP4 HD/MP cameras:
    • 7.10 – All firmware build versions before 7.10.0095
  • CPP6 HD/MP cameras:
    • 7.60 – All firmware build versions
    • 7.61 – All firmware build versions
    • 7.62 – All firmware build versions before 7.62.0005
    • 7.70 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0129
  • AVIOTEC cameras:
    • 7.61 – All firmware build versions
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions before 7.72.0013
  • CPP7 HD/MP cameras:
    • 7.60 – All firmware build versions
    • 7.61 – All firmware build versions
    • 7.62 – All firmware build versions before 7.62.0005
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0129
  • CPP7.3 HD/MP cameras:
    • 7.60 – All firmware build versions
    • 7.61 – All firmware build versions
    • 7.62 – All firmware build versions before 7.62.0004
    • 7.70 – All firmware build versions
    • 7.72 – All firmware build versions
    • 7.80 – All firmware build versions before 7.80.0129
  • CPP13 HD/MP cameras:
    • 7.75 – All firmware build versions before 7.75.0008
Mitigation
Robert Bosch GmbH mitigation

Software Updates: The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigations and workarounds described in the following section.

Firewalling: Disallowing connections from insecure networks to the camera by means of a firewall prevents the attacker from accessing the vulnerable interface.

IP Filtering: The camera has the possibility to whitelist networks or IP addresses to only allow access from trusted networks or IPs, preventing an attacker from accessing the camera.

Secure Configuration Environment: It is advised to use a Bosch tool like the Configuration Manager to configure the camera, that does not allow for issues like CSRF and XSS.

When using the web based configuration interface and currently being logged in as administrator, some security precautions can be taken to mitigate XSS and CSRF vulnerabilities:

  • No other websites or email content should be opened as long as the session to the camera is active
  • No links should be clicked from an untrusted external source that link back to the camera.
  • Use a different browser than the system default browser to open a session to the camera as there is no XSS or CSRF between browsers.
  • Always log out and/or close the browser (not only the tab) to clear any session data
Timeline 2021-04-30 – Vulnerability reported
2021-06-09 – Robert Bosch GmbH published the advisory