ICSA-18-128-02 Siemens Siveillance VMS (Update A)

Plan Patch8.1ICS-CERT ICSA-18-128-02May 3, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Siemens Siveillance VMS contains a deserialization vulnerability (CWE-502) in versions 2016 R1 through 2018 R1 that allows unauthenticated remote code execution on the VMS server. An attacker can send malicious serialized objects to the server, which are deserialized without proper validation, leading to arbitrary code execution. This affects all six product versions listed. Siemens has released patched versions (V10.0a, V10.1a, V10.2b, V11.1a, V11.2a, V12.1a) and recommends immediate updates. The vulnerability requires network access to the VMS interface and moderate attacker skill to exploit due to the need to craft appropriate serialized payloads, but no public exploits are currently known.

What this means

What could happen

An attacker could deserialize untrusted data on the Siveillance VMS server and execute arbitrary code, potentially compromising video surveillance footage, system operations, or using the system as a foothold into the facility network.

Who's at risk

Water utilities and municipal electric facilities operating Siemens Siveillance VMS video surveillance systems (versions 2016 R1 through 2018 R1) should assess their exposure. This affects the centralized video management server, which may be critical for facility security monitoring and incident response.

How it could be exploited

An attacker with network access to the Siveillance VMS server (typically port 8200 or similar web interface ports) can send a crafted request containing malicious serialized objects (CWE-502 deserialization vulnerability). The server deserializes this data without proper validation, allowing code execution on the VMS host machine.

Prerequisites

Network access to the Siveillance VMS web interface or API ports
No authentication required to trigger the vulnerability
Knowledge of the serialization format and gadget chains used by the Java application

remotely exploitableno authentication requiredunsafe deserialization (CWE-502)affects security-critical surveillance systemrequires high skill level to exploit but likely proofs-of-concept exist

Exploitability

Moderate exploit probability (EPSS 2.7%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Siveillance VMS 2016 R1 and prior<V10.0aV10.0a

Siveillance VMS 2016 R2<V10.1aV10.1a

Siveillance VMS 2016 R3<V10.2bV10.2b

Siveillance VMS 2017 R1<V11.1aV11.1a

Siveillance VMS 2017 R2<V11.2aV11.2a

Siveillance VMS 2018 R1<V12.1aV12.1a

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDRestrict network access to VMS server to authorized management networks only using firewall rules; do not expose to the internet or untrusted networks

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

Siveillance VMS 2016 R2

HOTFIXUpdate Siveillance VMS 2016 R2 to V10.1a or later

Siveillance VMS 2016 R3

HOTFIXUpdate Siveillance VMS 2016 R3 to V10.2b or later

Siveillance VMS 2017 R1

HOTFIXUpdate Siveillance VMS 2017 R1 to V11.1a or later

Siveillance VMS 2017 R2

HOTFIXUpdate Siveillance VMS 2017 R2 to V11.2a or later

Siveillance VMS 2018 R1

HOTFIXUpdate Siveillance VMS 2018 R1 to V12.1a or later

All products

HOTFIXUpdate Siveillance VMS 2016 R1 to V10.0a or later

Long-term hardening

0/2

HARDENINGPlace the VMS server behind a firewall and on a segmented network separate from business IT networks

HARDENINGUse a VPN with encryption for any remote access to the VMS server

CVEs (1)

CVE-2018-7891

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eab86a24-954d-4a3e-9000-eaf030bca484