OTPulse
FeedAboutContact

ICSA-20-070-01_Siemens and PKE SiNVR/SiVMS Video Server (Update B)

Act Now9.9ICS-CERT ICSA-20-070-01Apr 13, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Siemens and PKE Control Center Server (CCS) video server software contains multiple vulnerabilities reported in SSA-761617 and SSA-844761: Authentication bypass (CVE-2019-18337, CVE-2019-18341) allows attackers with low-level access to gain elevated privileges. Path traversal (CVE-2019-18338, CVE-2019-19290) enables access to arbitrary files on the server. Information disclosure (CVE-2019-13947, CVE-2019-18340, CVE-2019-19291) exposes sensitive data. Privilege escalation (CVE-2019-18342) allows users to execute operations beyond their assigned permissions. SQL injection (CVE-2019-19292) enables database manipulation. Cross-site scripting (CVE-2019-19293, CVE-2019-19294) allows injection of malicious scripts. Insufficient logging (CVE-2019-19295) prevents audit trails of administrative actions. The affected products are the Control Center Server (CCS) versions below 1.5.0 and versions 1.5.0 and later. PKE has released updates fixing most vulnerabilities except CVE-2019-18340.

What this means
What could happen
An attacker with user-level access to the video server could escalate privileges, modify configuration, access sensitive data, or inject malicious code into the web interface. This could compromise video surveillance integrity and enable unauthorized system access or control.
Who's at risk
Water utilities, municipalities, and industrial facilities using Siemens and PKE Control Center Server for video surveillance and monitoring. The product is commonly deployed in critical infrastructure control rooms to monitor physical security and process areas. Any organization relying on CCS for video surveillance and system monitoring should apply fixes.
How it could be exploited
An attacker with user credentials or network access to the CCS server (typically port 80/443 for web interface or port 21 for FTP) could authenticate with valid credentials, exploit authentication bypass to escalate privileges, or use path traversal to access sensitive files. The attacker could then modify recorder settings, disable logging, inject scripts into the web interface, or extract configuration data containing credentials.
Prerequisites
  • User credentials to the CCS web interface or direct network access to the server port
  • Network reachability to the CCS server (HTTP/HTTPS port or FTP port 21)
  • For privilege escalation: initial low-level user account or ability to authenticate
Remotely exploitable via network portsAuthentication bypass vulnerability allows privilege escalation without complex attackLow complexity exploitation of multiple vulnerabilitiesNo patch available for versions 1.5.0 and later (except CVE-2019-18340 remains unfixed in updated versions)Multiple vulnerability types reduce defense-in-depth effectiveness
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (2)
1 with fix1 pending
ProductAffected VersionsFix Status
Control Center Server (CCS)<V1.5.01.5.0
Control Center Server (CCS)≥ V1.5.0No fix yet
Remediation & Mitigation
0/7
Do now
0/2
Control Center Server (CCS)
WORKAROUNDApply firewall rules or ACLs to restrict access to CCS server ports to authorized systems only
All products
WORKAROUNDDisable FTP services on the video server if not required for operations
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Control Center Server to version 5.0.2 or later
HARDENINGEnable the per-stream authentication feature in v5.0.2 with individual account credentials for each stream recorder
Long-term hardening
0/3
Control Center Server (CCS)
HARDENINGImplement TLS encryption on the application level or IPSec on the network level for CCS communications
HARDENINGIsolate the CCS server from the business network and Internet; place behind a firewall
HARDENINGApply principle of least privilege to user accounts accessing the CCS server
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7cff53e9-2c89-4e9e-bb89-f55ca8264967