Siemens and Milestone Siveillance Video Open Network Bridge

Act Now9.9ICS-CERT ICSA-21-103-15Apr 13, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siveillance Video Open Network Bridge contains a vulnerability in how it stores ONVIF user credentials. The vulnerability allows an authenticated remote attacker to retrieve and decrypt all ONVIF user credentials stored on the server. This could lead to unauthorized access to surveillance cameras and connected ONVIF devices. Siemens recommends applying hotfixes immediately for all affected versions (2018 R2 through 2020 R3). As a workaround, users can disable the Open Network Bridge if ONVIF functionality is not required. Network access to ONVIF services should be restricted with firewalls.

What this means

What could happen

An authenticated attacker could retrieve and decrypt all stored ONVIF user credentials from the Siveillance Video Open Network Bridge server, potentially gaining access to camera systems and other connected surveillance infrastructure that rely on those credentials.

Who's at risk

Water utilities and electric utilities that use Siemens Siveillance Video Open Network Bridge for surveillance of substations, water treatment plants, or other critical infrastructure. This includes any deployment where the ONVIF bridge is enabled to integrate IP cameras or ONVIF-compliant devices into the surveillance system.

How it could be exploited

An attacker with valid credentials to the Siveillance Video Open Network Bridge (ONVIF) can connect remotely to port 8080 or the configured ONVIF service port, then exploit the insecure credential storage mechanism to read and decrypt all user credentials stored on the ONVIF server, including those for integrated cameras and devices.

Prerequisites

Valid credentials (username and password) for the Siveillance Video Open Network Bridge
Network access to the ONVIF service port (typically port 8080 or configured ONVIF port)
Open Network Bridge (ONVIF) must be enabled (disabled by default, but enabled in many deployments)

Remotely exploitableAffects authentication and credential managementDefault configuration has ONVIF disabled (reduces immediate risk if defaults not changed)Requires valid credentials (reduces attack surface compared to no-auth vulnerabilities)Insecure credential storage allows decryption of all stored credentials

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Siveillance Video Open Network Bridge2020 R3; 2020 R2; 2020 R1 and 5 moreNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable Open Network Bridge (ONVIF) if it is not actively used in your surveillance deployment

HARDENINGRestrict network access to ONVIF service ports using firewall rules; only allow trusted engineering and monitoring systems to connect

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Siemens hotfix for your version of Siveillance Video Open Network Bridge (2018 R2 through 2020 R3)

Long-term hardening

0/1

HARDENINGIsolate surveillance and video infrastructure on a separate network segment from business systems and the Internet

CVEs (1)

CVE-2021-27392

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/966be7c7-c300-476d-9b16-9add53c51489