Publication Date: |
|
Last Update: |
|
Current Version: | V1.1 |
CVSS v3.1 Base Score: | 9.9 |
Affected Product and Versions | Remediation |
---|---|
All versions < V1.5.0 |
Update to V1.5.0 or later version
|
All versions >= V1.5.0 affected by CVE-2019-18340 |
Currently no fix is planned
|
Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
Product-specific remediations or mitigations can be found in the section
Affected Products and Solution.
Please follow the General Security Recommendations.
As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.
An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.
The user configuration menu in the web interface of the Control Center Server (CCS) transfers user passwords in clear to the client (browser).
An attacker with administrative privileges for the web interface could be able to read (and not only reset) passwords of other CCS users.
CVSS v3.1 Base Score | 4.9 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:F/RL:U/RC:C |
CWE | CWE-317: Cleartext Storage of Sensitive Information in GUI |
The Control Center Server (CCS) contains an authentication bypass vulnerability in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp.
A remote attacker with network access to the CCS server could exploit this vulnerability to read the CCS users database, including the passwords of all users in obfuscated cleartext.
CVSS v3.1 Base Score | 9.8 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C |
CWE | CWE-287: Improper Authentication |
The Control Center Server (CCS) contains a directory traversal vulnerability in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp.
An authenticated remote attacker with network access to the CCS server could exploit this vulnerability to list arbitrary directories or read files outside of the CCS application context.
CVSS v3.1 Base Score | 7.7 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:F/RL:U/RC:C |
CWE | CWE-23: Relative Path Traversal |
Both the SiVMS/SiNVR Video Server and the Control Center Server (CCS) store user and device passwords by applying weak cryptography.
A local attacker could exploit this vulnerability to extract the passwords from the user database and/or the device configuration files to conduct further attacks.
CVSS v3.1 Base Score | 5.5 |
CVSS v3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:U/RC:C |
CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
The SFTP service (default port 22/tcp) of the Control Center Server (CCS) contains an authentication bypass vulnerability.
A remote attacker with network access to the CCS server could exploit this vulnerability to read data from the EDIR directory (for example, the list of all configured stations).
CVSS v3.1 Base Score | 5.3 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C |
CWE | CWE-287: Improper Authentication |
The SFTP service (default port 22/tcp) of the Control Center Server (CCS) does not properly limit its capabilities to the specified purpose.
In conjunction with CVE-2019-18341, an unauthenticated remote attacker with network access to the CCS server could exploit this vulnerability to read or delete arbitrary files, or access other resources on the same server.
CVSS v3.1 Base Score | 9.9 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C |
CWE | CWE-749: Exposed Dangerous Method or Function |
The DOWNLOADS section in the web interface of the Control Center Server (CCS) contains a path traversal vulnerability that could allow an authenticated remote attacker to access and download arbitrary files from the server where CCS is installed.
CVSS v3.1 Base Score | 6.5 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C |
CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
The FTP services of the SiVMS/SiNVR Video Server and the Control Center Server (CCS) maintain log files that store login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service.
CVSS v3.1 Base Score | 5.3 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C |
CWE | CWE-313: Cleartext Storage in a File or on Disk |
The Control Center Server (CCS) contains an SQL injection vulnerability in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker could exploit this vulnerability to read or modify the CCS database and potentially execute administrative database operations or operating system commands.
CVSS v3.1 Base Score | 8.8 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C |
CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
The web interface of the Control Center Server (CCS) contains a reflected Cross-site Scripting (XSS) vulnerability that could allow an unauthenticated remote attacker to steal sensitive data or execute administrative actions on behalf of a legitimate administrator of the CCS web interface.
CVSS v3.1 Base Score | 6.1 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P/RL:U/RC:C |
CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
The web interface of the Control Center Server (CCS) contains multiple stored Cross-site Scripting (XSS) vulnerabilities in several input fields. This could allow an authenticated remote attacker to inject malicious JavaScript code into the CCS web application that is later executed in the browser context of any other user who views the relevant CCS web content.
CVSS v3.1 Base Score | 6.3 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N/E:P/RL:U/RC:C |
CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
The Control Center Server (CCS) does not enforce logging of security-relevant activities in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker could exploit this vulnerability to perform covert actions that are not visible in the application log.
CVSS v3.1 Base Score | 4.3 |
CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C |
CWE | CWE-778: Insufficient Logging |
The links to vendor advisory and software downloads no longer exist. For support contact PKE (https://pke.at/).
The vulnerabilities were initially reported in SSA-761617 (https://cert-portal.siemens.com/productcert/html/ssa-761617.html) on 2019-12-10 and SSA-844761 (https://cert-portal.siemens.com/productcert/html/ssa-844761.html) on 2020-03-10, along with other vulnerabilities that affect the SiNVR/SiVMS Video Server. To provide more clarity, the vulnerabilities that apply to CCS have been moved to this new advisory. The former advisories address the SiNVR/SiVMS Video Server only.
V1.0 (2021-04-13): | Publication Date |
V1.1 (2024-01-09): | Cleanup: removed orphaned links to vendor advisories and software downloads |