Headline
CVE-2023-32229: Possible damage of secure element in Bosch IP cameras
Due to an error in the software interface to the secure element chip on Bosch IP cameras of family CPP13 and CPP14, the chip can be permanently damaged when enabling the Stream security option (signing of the video stream) with option MD5, SHA-1 or SHA-256.
Advisory Information
- Advisory ID: BOSCH-SA-435698-BT
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2023-32229
- Base Score: 4.9 (Medium)
- CVE-2023-32229
- Published: 31 May 2023
- Last Updated: 31 May 2023
Summary
Due to an error in the software interface to the secure element chip on the cameras, the chip can be permanently damaged leading to an unusable camera when enabling the Stream security option (signing of the video stream) on Bosch CPP13 and CPP14 cameras. The default setting for this option is "off".
Affected Products
- Bosch Camera Firmware on: CPP13
- CVE-2023-32229
- Version(s): < 8.48
- CVE-2023-32229
- Bosch Camera Firmware on: CPP14
- CVE-2023-32229
- Version(s): 8.50 - 8.72 (including)
- CVE-2023-32229
Solution and Mitigations****Software Updates
The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in a timely manner, users are recommended to follow the mitigations and workarounds described in the following section. The versions to fix this issue are listed in the Advisory Appendix.
A reboot of the camera is required after uploading the update.
The version of the firmware should be checked after the update to confirm successful installation e.g. in the web based interface (Services - System Overview)
Increase Signature Interval
The default value for the signature interval is 1 second. Increasing the signature interval to 30 seconds will mitigate the problem without decreasing security of the signing process. During verification process of the video it might take longer for the signature to be verified. After installing the fixed version the interval can be set to 1 second again.
Disable Signature
Disabling this feature will, of course, mitigate this issue, but the video stream will no longer be signed and cannot be verified afterwards. After installing the update the feature can be enabled again.
Vulnerability Details****CVE-2023-32229
CVE description: Due to an error in the software interface to the secure element chip on Bosch IP cameras of family CPP13 and CPP14, the chip can be permanently damaged when enabling the Stream security option (signing of the video stream) with option MD5, SHA-1 or SHA-256.
- Problem Type:
- CWE-1246 Improper Write Handling in Limited-write Non-Volatile Memories
- CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
- Base Score: 4.9 (Medium)
Remarks****Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: [email protected] .
Revision History
- 31 May 2023: Initial Publication
Appendix****Fixed Versions
Camera Family
Version to fix this issue
CPP13
8.48.0017
CPP14
8.80.0090
Firmware Download
Material Lists****Bosch IP camera CPP13
Family Name
CTN
SAP#
AUTODOME inteox 7000i – 2 MP
NDP-7602-Z30
NDP-7602-Z30CT
NDP-7602-Z30K
NDP-7602-Z30-OC
F.01U.381.159
F.01U.381.160
F.01U.381.162
F.01U.382.880
AUTODOME 7000i
NDP-7602-Z40
F.01U.389.322
F.01U.394.938
AUTODOME 7100i IR - 2MP
NDP-7602-Z40L
F.01U.389.324
F.01U.394.936
AUTODOME 7100i IR - 8MP
NDP-7604-Z12L
F.01U.389.326
F.01U.394.918
DINION inteox 7100i IR
NBE-7604-AL
NBE-7604-AL-OC
F.01U.394.676
F.01U.386.377
FLEXIDOME inteox 7100i IR
NDE-7604-AL
NDE-7604-AL-OC
F.01U.394.577
F.01U.386.375
MIC inteox 7100i - 2MP
MIC-7602-Z30B
MIC-7602-Z30BR
MIC-7602-Z30W
MIC-7602-Z30WR
MIC-7602-Z30G
MIC-7602-Z30GR
F.01U.382.403
F.01U.381.145
F.01U.382.404
F.01U.381.146
F.01U.382.405
F.01U.381.147
MIC inteox 7100i - 2MP OC
MIC-7602-Z30BR-OC
MIC-7602-Z30WR-OC
MIC-7602-Z30GR-OC
F.01U.382.397
F.01U.382.398
F.01U.382.399
MIC inteox 7100i – 8MP
MIC-7604-Z12BR
MIC-7604-Z12WR
MIC-7604-Z12GR
F.01U.381.148
F.01U.381.149
F.01U.381.150
MIC inteox 7100i – 8MP OC
MIC-7604-Z12BR-OC
MIC-7604-Z12WR-OC
MIC-7604-Z12GR-OC
F.01U.382.400
F.01U.382.401
F.01U.382.402
Bosch IP camera CPP14
Family Name
CTN
SAP#
FLEXIDOME indoor 5100i
NDV-5702-A
NDV-5703-A
NDV-5704-A
F.01U.394.427
F.01U.394.429
F.01U.394.454
FLEXIDOME indoor 5100i IR
NDV-5702-AL
NDV-5703-AL
NDV-5704-AL
F.01U.394.428
F.01U.394.430
F.01U.394.455
FLEXIDOME outdoor 5100i
NDE-5702-A
NDE-5703-A
NDE-5704-A
F.01U.394.558
F.01U.394.560
F.01U.394.562
FLEXIDOME outdoor 5100i IR
NDE-5702-AL
NDE-5703-AL
NDE-5704-AL
F.01U.394.559
F.01U.394.561
F.01U.394.563
FLEXIDOME panoramic 5100i
NDS-5703-F360
NDS-5704-F360
F.01U.385.628
F.01U.385.629
FLEXIDOME panoramic 5100i IR
NDS-5703-F360LE
NDS-5704-F360LE
F.01U.385.630
F.01U.385.631
FLEXIDOME multi 7000i
NDM-7702-A
NDM-7703-A
F.01U.389.262
F.01U.389.263
FLEXIDOME multi 7000i IR
NDM-7702-AL
NDM-7703-AL
F.01U.389.264
F.01U.389.265
DINION 7100i IR
NBE-7702-ALX
NBE-7703-ALX
F.01U.390.686
F.01U.390.688