CVE-2021-23847
📋 TL;DR
This critical vulnerability in Bosch IP cameras allows unauthenticated remote attackers to extract sensitive information or modify camera settings by sending crafted requests. Only CPP6, CPP7, and CPP7.3 family devices with firmware versions 7.70, 7.72, and 7.80 prior to B128 are affected.
💻 Affected Systems
- Bosch CPP6 IP cameras
- Bosch CPP7 IP cameras
- Bosch CPP7.3 IP cameras
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of camera functionality including disabling security features, extracting credentials, or using camera as pivot point into internal networks
Likely Case
Unauthorized access to camera feeds, configuration changes, or extraction of sensitive device information
If Mitigated
Limited impact if cameras are isolated in separate network segments with strict access controls
🎯 Exploit Status
Crafting requests requires understanding of camera API but no authentication needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version B128 or later
Vendor Advisory: https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html
Restart Required: Yes
Instructions:
1. Download firmware B128 or later from Bosch support portal. 2. Upload firmware to camera via web interface. 3. Apply update. 4. Reboot camera.
🔧 Temporary Workarounds
Network segmentation
allIsolate cameras in separate VLAN with strict firewall rules
Access control lists
allImplement IP-based restrictions to limit camera access
🧯 If You Can't Patch
- Remove cameras from internet-facing networks immediately
- Implement strict network segmentation and firewall rules to limit camera access
🔍 How to Verify
Check if Vulnerable:
Check camera firmware version via web interface or API. If version is 7.70, 7.72, or 7.80 and build number is lower than B128, device is vulnerable.Check Version:
Check via camera web interface at /cgi-bin/version.cgi or similar endpointVerify Fix Applied:
Verify firmware version shows B128 or later after update📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API requests to configuration endpoints
- Multiple failed authentication attempts followed by successful configuration changes
Network Indicators:
- Unusual HTTP requests to camera configuration endpoints from unauthorized IPs
- Traffic patterns indicating configuration changes without authentication
SIEM Query:
source_ip NOT IN authorized_ips AND dest_port=80 AND (uri CONTAINS "/cgi-bin/" OR uri CONTAINS "/config")