Siemens Siveillance OIS

Plan PatchCVSS 10ICS-CERT ICSA-21-257-18Sep 14, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Siveillance Open Interface Services (OIS) application, used to integrate building subsystems into Siemens management platforms, contains an OS command injection vulnerability (CWE-78) in how it processes integration requests. An unauthenticated attacker can send a crafted request to the OIS port (443/TCP) containing shell metacharacters that bypass input validation and execute arbitrary commands with root privileges on the host operating system. The vulnerability affects all versions of Desigo CC with OIS, GMA-Manager, Operation Scheduler, Siveillance Control, and Siveillance Control Pro running on Debian 9 or later.

What this means

What could happen

An attacker could execute arbitrary commands on the Siveillance OIS server with root privileges, potentially giving them complete control over building management system operations including access control, surveillance, HVAC, and lighting systems across multiple integrated facilities.

Who's at risk

Building automation operators and facility managers running Siemens Desigo CC, GMA-Manager, Operation Scheduler, Siveillance Control, or Siveillance Control Pro with the OIS extension module. This affects the central systems that integrate and control access control systems, HVAC, surveillance, and other building subsystems across one or more facilities.

How it could be exploited

An attacker sends a specially crafted network request to port 443/TCP on an exposed Siveillance OIS server. The request contains injected shell commands embedded in OIS integration parameters. The vulnerable OIS application passes these unsanitized inputs directly to the operating system command interpreter, executing the attacker's code with root privileges.

Prerequisites

Network access to port 443/TCP on the Siveillance OIS server
OIS application accessible from attacker's network location
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackNetwork-accessibleCritical CVSS score (10.0)Root-level code executionNo patch available for most affected products

Exploitability

Some exploitation risk — EPSS score 4.6%

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

Desigo CCAll versions with OIS Extension ModuleNo fix (EOL)

GMA-Manager≤ with OIS running on Debian 9No fix (EOL)

Siveillance Control≤ with OIS running on Debian 9No fix (EOL)

Operation Scheduler≤ with OIS running on Debian 9No fix (EOL)

Siveillance Control ProAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to port 443/TCP to only trusted IP addresses and personnel via firewall rules

HARDENINGImplement network segmentation to isolate Siveillance OIS and dependent building management systems from direct internet and business network access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Siveillance OIS to version v2.5.3 or latest patch release

HARDENINGMonitor OIS server logs for suspicious command patterns or failed authentication attempts indicating exploitation attempts

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Desigo CC, GMA-Manager, Siveillance Control, Operation Scheduler, Siveillance Control Pro. Apply the following compensating controls:

HARDENINGDeploy VPN with multi-factor authentication for any required remote access to OIS systems

CVEs (1)

CVE-2021-31891

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d5d39947-15c2-4ab3-85da-9a85b37c7118

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.