Full Report
Kaspersky ICS CERT has discovered that the web service of the Robert Bosch GmbH CPP HD/MP cameras does not correctly parse the HTTP protocol. Scope Scope changed
Analysis Summary
# Vulnerability: Improper HTTP Protocol Parsing in Bosch CPP HD/MP Camera Web Service
## CVE Details
- CVE ID: CVE-2021-23853
- CVSS Score: 6.1 (Medium) - *Note: CVSS listed as 0.0 in the text, but the vector string provided maps to 6.1.*
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
- CWE: CWE-20: Improper Input Validation
## Affected Systems
- Products:
- Robert Bosch GmbH CPP HD/MP IP cameras (various models: CPP4, CPP6 UHD/MP, CPP7 UHD/MP, CPP7.3 HD/MP, AVIOTEC IP cameras, CPP13 INTEOX IP cameras)
- Versions:
- CPP4 HD/MP: All firmware versions before 7.10.0095
- CPP6 UHD/MP: 7.60 (All builds), 7.61 (All builds), 7.62 (before 7.62.0005), 7.70 (All builds), 7.80 (before 7.80.0129)
- CPP7 UHD/MP / CPP7.3 HD/MP: 7.60 (All builds), 7.61 (All builds), 7.62 (before 7.62.0005), 7.70 (All builds), 7.72 (All builds), 7.80 (before 7.80.0129)
- CPP13 INTEOX IP cameras: All firmware versions before 7.75.0008
- AVIOTEC IP cameras: 7.61 (All builds), 7.70 (All builds), 7.72 (before 7.72.0013)
- Configurations: Web service accessible on ports 80/TCP or 443/TCP.
## Vulnerability Description
The web service of the affected cameras fails to correctly parse the HTTP protocol. This improper validation of user-supplied input allows an attacker to inject arbitrary HTTP headers by leveraging specially crafted URLs.
## Exploitation
- Status: PoC available (Implied/Assumed based on detailed exploitability section, though not explicitly stated as public PoC)
- Complexity: Low
- Attack Vector: Network (Remotely exploitable via network access to HTTP/S ports)
- Required Interaction: User interaction required (user must click a malicious link).
## Impact
- Confidentiality: No Impact (C:N)
- Integrity: High Impact (I:H) - Due to arbitrary header injection capability.
- Availability: No Impact (A:N)
## Remediation
### Patches
- Updating firmware to fixed versions specific to each product line (e.g., >7.10.0095 for CPP4, specific builds listed in Affected Systems for others).
* Recommended primary action is software update.
### Workarounds
If immediate updating is not possible:
1. Use the Bosch Configuration Manager tool for configuration instead of the web interface.
2. When using the web configuration interface while logged in as administrator:
* Do not open other websites or email content during an active camera session.
* Do not click links from untrusted external sources that point back to the camera.
* Use a different browser for the camera session than the system default browser to mitigate potential XSS/CSRF chains.
* Always log out and close the entire browser (not just the tab) to clear session data.
## Detection
- Indicators of Compromise: Look for unexpected or unusually formatted HTTP requests targeted at the camera's web service exposing potential header injection attempts.
- Detection methods and tools: Standard packet inspection tools monitoring traffic on ports 80/443 to identify malformed HTTP requests targeting the web service.
## References
- Vendor Advisory: Published June 09, 2021
- Kaspersky Advisory: KLCERT-21-030 (Published July 02, 2021)