Full Report
Kaspersky ICS CERT has discovered missing authentication vulnerability for execution critical commands by HTTP requests.
Analysis Summary
# Vulnerability: Missing Authentication for Critical Functions in Bosch CPP Cameras
## CVE Details
- **CVE ID:** CVE-2021-23847
- **CVSS Score:** 9.4 (Critical) [Note: Article text mentions 0.0, but the provided vector string and impact description confirm Critical severity.]
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- **CWE:** CWE-306: Missing Authentication for Critical Function
## Affected Systems
- **Products:** Robert Bosch GmbH CPP HD/MP IP Cameras
- **Versions:**
- **CPP6 UHD/MP:** v7.70 (All); v7.80 (All versions before 7.80.0128)
- **CPP7 UHD/MP:** v7.70 (All); v7.72 (All); v7.80 (All versions before 7.80.0128)
- **CPP7.3 HD/MP:** v7.70 (All); v7.72 (All); v7.80 (All versions before 7.80.0128)
- **AVIOTEC IP:** v7.61 (All); v7.70 (All); v7.72 (All versions before 7.72.0013)
- **Configurations:** Devices with ports 80/TCP (HTTP) or 443/TCP (HTTPS) accessible to the network.
## Vulnerability Description
A vulnerability exists in the web-based management interface where certain HTTP requests that trigger critical commands do not require authentication. This flaw allows an unauthenticated user to interact directly with the device’s internal functions that should be restricted to administrative accounts.
## Exploitation
- **Status:** Vulnerability discovered by Kaspersky ICS CERT; advisory published by vendor.
- **Complexity:** Low (Requires low skill level and no special conditions).
- **Attack Vector:** Network (Remote exploitation via HTTP/HTTPS).
## Impact
- **Confidentiality:** High (Extraction of sensitive device information).
- **Integrity:** High (Modification of device settings and configurations).
- **Availability:** High (Potential to disrupt camera operations through unauthorized commands).
## Remediation
### Patches
Update affected Bosch firmware to the following versions or newer:
- **CPP6 / CPP7 / CPP7.3:** FW version 7.80.0128
- **AVIOTEC IP:** FW version 7.72.0013
### Workarounds
- **Certificate-Based Authentication:** Implement SSL certificate-based user authentication. Because this authentication occurs at the handshake level, it blocks access to the vulnerable components before the HTTP request is processed.
- **IP Filtering:** Use the camera's built-in IP filtering/whitelisting features to restrict access only to trusted management workstations.
- **Firewalling:** Isolate cameras from insecure networks and restrict access to ports 80 and 443 via a network firewall.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual HTTP/HTTPS requests to critical command paths originating from unauthorized or unknown IP addresses.
- **Detection Methods:** Vulnerability scanners can be used to check for outdated firmware versions on Bosch hardware. Network Intrusion Detection Systems (NIDS) should monitor for unauthenticated traffic directed at camera management endpoints.
## References
- **Vendor Advisory:** hxxps://psirt[.]bosch[.]com/ (Search for CVE-2021-23847)
- **Kaspersky Advisory:** hxxps://ics-cert[.]kaspersky[.]com/advisories/2021/07/02/klcert-21-014-robert-bosch-gmbh-cpp-hd-mp-cameras-missing-authentication-vulnerability-for-critical-functions/
- **NVD:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2021-23847