Full Report
Kaspersky ICS CERT discovered multiple reflected XSS in URI handlers. Scope Scope changed
Analysis Summary
# Vulnerability: Reflected Cross-Site Scripting in Bosch CPP HD/MP Camera URI Handlers
## CVE Details
- CVE ID: CVE-2021-23848
- CVSS Score: 8.8 (High) (Calculated using CVSS v3.1: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
- CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
## Affected Systems
- Products: Robert Bosch GmbH CPP HD/MP cameras (including AVIOTEC models).
- CPP4 HD/MP
- CPP6 HD/MP
- AVIOTEC cameras
- CPP7 HD/MP
- CPP7.3 HD/MP
- CPP13 HD/MP
- Versions: Specific firmware versions for each product line are affected (see below for details).
- CPP4: Firmware versions before 7.10.0095
- CPP6: All firmware versions
- CPP7, CPP7.3: Firmware versions before 7.80.0129 (or specific versions for earlier branches)
- CPP13: Firmware versions before 7.75.0008
- AVIOTEC: Firmware versions before 7.72.0013 (for 7.72 branch)
## Vulnerability Description
Kaspersky ICS CERT discovered multiple instances of Reflected Cross-Site Scripting (XSS) vulnerabilities existing within the URI handlers of the affected Bosch camera systems. An attacker can inject malicious script code via a specially crafted URI link. When a target user (e.g., an authenticated administrator) accesses this link, the embedded script is executed in their browser context. The flaw allows for the execution of any RCP+ command via RCP+ over CGI.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC details are functionally implied by the vulnerability type.
- Complexity: Low (Attack complexity is noted as Low)
- Attack Vector: Network (Remotely exploitable if the victim has network access to ports 80/TCP or 443/TCP)
- User Interaction: Required (A user must follow the attacker's malicious link)
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
*(Note: Exploitation allows execution of RCP+ commands, suggesting control over configurations and operations, leading to high impact across all three categories.)*
## Remediation
### Patches
The recommended approach is to update the affected Bosch firmware to a fixed version. Specific fixed versions are detailed in the vendor advisory but are not listed in the summary text provided. Users must consult the Bosch advisory for exact fixed firmware build numbers corresponding to their product line.
### Workarounds
If immediate software updates are not possible, users are advised to implement the following security precautions when using the web-based configuration interface, especially while logged in as an administrator:
1. Do not open other websites or email content while the camera session is active.
2. Do not click on links from untrusted external sources that point back to the camera.
3. Use a different browser for accessing the camera configuration than used for general web browsing, as this can mitigate XSS/CSRF between browsers.
4. Always log out and close the browser entirely (not just the tab) to clear session data.
5. Use the Bosch Configuration Manager tool for configuration, which reportedly mitigates issues like CSRF and XSS.
## Detection
- Indicators of Compromise: Unrecognized scripts executing within the browser context during camera management sessions, or unexpected system changes resulting from successful RCP+ command execution.
- Detection Methods and Tools: Standard network and endpoint security monitoring tools capable of detecting injection attempts or suspicious traffic patterns targeting the camera's web interface pathways.
## References
- Vendor Advisory: Robert Bosch GmbH advisory published 09 June 2021
- Kaspersky ICS CERT Advisory: KLCERT-21-016 (Published 02 July 2021)