Siemens and PKE SiNVR, SiVMS Video Server (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-19-344-02Dec 10, 2019

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens SiNVR/SiVMS Video Server and SiNVR 3 Central Control Server contain improper authentication vulnerabilities (CWE-306, CWE-261) that allow unauthenticated remote attackers to read the user database and configuration files. The user database contains passwords in obfuscated cleartext. Vulnerability affects v5.0.0 and all versions of SiNVR 3 CCS. Siemens recommends updating to version 5.0.0 or later and applying network-level access controls to protect the server from unauthorized access.

What this means

What could happen

An attacker could read the complete SiNVR/SiVMS user database and extract all user passwords in a readable format, plus access configuration files that may contain additional sensitive information. This compromises authentication for all operators and engineers accessing the video surveillance and control system.

Who's at risk

Water authorities and electric utilities using Siemens SiNVR or PKE SiVMS video server systems for facility surveillance, access control, or security monitoring. Affects both Video Server installations and SiNVR 3 Central Control Server deployments used in security operations centers and control rooms.

How it could be exploited

An attacker with network access to the SiNVR/SiVMS server on port 80/443 (HTTP/HTTPS) can issue unauthenticated requests to download the user database and configuration files without logging in, extracting credentials and system settings.

Prerequisites

Network access to SiNVR/SiVMS server HTTP/HTTPS ports (80, 443)
No authentication required
Vulnerability present in v5.0.0 and all versions before 5.0.0 (SiNVR 3 CCS)

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects security system access control

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (5)

4 with fix1 pending

ProductAffected VersionsFix Status

SiNVR/SiVMS Video Server<V5.0.05.0.0

SiNVR/SiVMS Video Server≥ V5.0.0No fix yet

SiNVR/SiVMS Video Server: v5.0.0 and later is affected by CVE-2019-18340≥ 5.0.0 | CVE-2019-183405.0.0

SiNVR 3 Central Control Server (CCS): all- SSA-761844 and ICSA-21-103-105.0.0

SiNVR/SiVMS Video Server: All< 5.0.05.0.0

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGApply network segmentation and firewall rules to restrict HTTP/HTTPS access to SiNVR/SiVMS server to authorized engineering and administration networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SiNVR/SiVMS Video Server

HOTFIXUpdate SiNVR/SiVMS Video Server to version 5.0.0 or later

Long-term hardening

0/1

HARDENINGFollow Siemens operational guidelines for industrial security and implement environment protection mechanisms around SiNVR/SiVMS deployment

CVEs (2)

CVE-2019-18339 CVE-2019-18340

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/64cf6178-5d6d-4b24-a6fc-1edad1a291fb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.