Full Report
Kaspersky ICS CERT discovered a reflected XSS in a page parameter. Scope Scope changed
Analysis Summary
# Vulnerability: Reflected XSS in Robert Bosch GmbH CPP HD/MP Cameras
## CVE Details
- **CVE ID:** CVE-2021-23854
- **CVSS Score:** 6.1 (Medium) / Note: Article text mentions 0.0 but the vector `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` suggests a high-impact score. Standard NVD calculation for this vector is **9.6 (Critical)** due to the Scope change and High impact across all metrics.
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation / Reflected Cross-site Scripting)
## Affected Systems
- **Products:** Bosch CPP HD/MP and AVIOTEC Cameras
- **Versions:**
- **CPP4:** 7.10 (Before 7.10.0095)
- **CPP6:** 7.60, 7.61 (All); 7.62 (Before 7.62.0005); 7.70 (All)
- **AVIOTEC:** 7.61, 7.70 (All); 7.72 (Before 7.72.0013)
- **CPP7/CPP7.3:** 7.60, 7.61, 7.70, 7.72 (All); 7.62 (Before 7.62.0005)
- **CPP13:** 7.75 (Before 7.75.0008)
- **Configurations:** Systems where human operators access the web-based management interface via ports 80/TCP or 443/TCP.
## Vulnerability Description
A reflected Cross-Site Scripting (XSS) vulnerability exists in a specific page parameter of the camera's web interface. The application fails to properly neutralize user-supplied input before including it in the generated web page. This allows an attacker to inject and execute malicious scripts in the context of the user's browser session.
## Exploitation
- **Status:** PoC available (detailed in research)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Requirement:** User interaction is required. A victim must click a malicious link and successfully authenticate to the camera.
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Technical Consequence:** An attacker can execute any RCP+ command via "RCP+ over CGI." This allows for full control over camera functions and settings if an authenticated administrator is targeted.
## Remediation
### Patches
Update firmware to the following versions (or newer):
- **CPP4:** v7.10.0095
- **CPP6 / CPP7 / CPP7.3:** v7.62.0005
- **AVIOTEC:** v7.72.0013
- **CPP13:** v7.75.0008
### Workarounds
- Use the **Bosch Configuration Manager** tool instead of the web interface for device configuration.
- Avoid clicking links from untrusted sources or opening other websites/emails while a camera session is active.
- Use a dedicated browser for camera management that is separate from the system's default browser.
- Explicitly log out and close the entire browser (not just the tab) after finishing work.
## Detection
- **Indicators of Compromise:** Unusual configuration changes or RCP+ commands recorded in logs not initiated by authorized personnel.
- **Detection Methods:** Monitor network traffic for suspicious URL parameters containing script tags or encoded RCP+ commands directed at camera IP addresses.
## References
- **Vendor Advisory:** [https://psirt.bosch.com/advisories/BOSCH-SA-051415.html] (Defanged)
- **NVD:** hxxps://nvd.nist.gov/vuln/detail/CVE-2021-23854
- **Kaspersky ICS CERT:** hxxps://ics-cert.kaspersky.com/advisories/2021/07/02/klcert-21-019-robert-bosch-gmbh-cpp-hd-mp-cameras-reflected-xss-in-a-page-parameter/