Missing Authentication, XSS & DoS vulnerabilities in Robert Bosch CCTV cameras allow hackers to spy on you. Patch now

Cybersecurity specialists report the discovery of three vulnerabilities in high-definition cameras manufactured by the technology company Robert Bosch. According to the report, successful exploitation of these flaws would allow the deployment of denial of service (DoS) attacks, cross-site scripting (XSS) attacks, and evasion of authentication mechanisms.

Below are brief reports of the flaws detected, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-23852: The application does not adequately handle the consumption of internal system resources, so a remote administrator can send a specially crafted HTTP GET request, trigger resource exhaustion, and lead to a DoS attack.

This is a low-severity vulnerability and received a CVSS score of 5.9/10, cybersecurity experts say.

CVE-2021-23847: The absence of proper authentication for the execution of critical commands using HTTP requests allows remote threat actors to extract sensitive information or change the configuration of a target device by sending specially crafted requests. 

The flaw received a CVSS score of 8.5/10 and would allow remote hackers to evade authentication processes.

CVE-2021-23854: Improper disinfection of user input in the page parameter allows remote attackers to trick victims into following a specially crafted link and running arbitrary scripts using a vulnerable website.

The vulnerability received a CVSS score of 5.3/10 and its successful exploitation would allow the deployment of XSS attacks.

These three flaws reside in the following Rober Bosch products:

• CPP4 HD/MP cameras: 7,10
• CPP6 HD/MP cameras: 7.60, 7.61, 7.62, 7.70, 7.80
• AVIOTEC cameras: 7.61, 7.70, 7.72
• CPP7 HD/MP cameras: 7.60, 7.61, 7.62, 7.70, 7.72, 7.80
• CPP7.3 HD/MP cameras: 7.60, 7.61, 7.62, 7.70, 7.72, 7.80
• CPP13 HD/MP cameras: 7.75

While these flaws could be exploited by unauthenticated remote threat actors, cybersecurity experts mention that no exploit attempts have been detected in real-world scenarios. Security patches to address these flaws are now available, so users of affected devices are encouraged to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.