Siemens Siveillance
Act Now9.9ICS-CERT ICSA-23-131-03May 9, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Siemens Siveillance Video Event Server and Management Server components deserialize untrusted data without sufficient validation. An authenticated remote attacker could exploit this to execute arbitrary code on the affected system. This affects multiple versions of Siveillance Video from 2020 R2 through 2023 R1. Siemens has released hotfix updates for all affected versions.
What this means
What could happen
An authenticated attacker with network access to the Event Server or Management Server could execute arbitrary code, allowing them to compromise the video surveillance system, manipulate recordings, alter system configuration, or pivot to other network assets.
Who's at risk
Organizations operating Siemens Siveillance Video surveillance systems should be concerned, particularly those in critical infrastructure, transportation, and facility security roles. This affects video surveillance server infrastructure used to manage and record security camera networks across multiple versions deployed from 2020 through 2023.
How it could be exploited
An attacker with valid credentials and network access to the Event Server or Management Server on port 502 (Modbus) or the management port sends a specially crafted serialized object in a request. The server deserializes the object without validating its contents, allowing the attacker to instantiate arbitrary classes and execute code on the server process.
Prerequisites
- Valid Event Server or Management Server credentials
- Network access to Event Server or Management Server
- Knowledge of the serialization format used by Siveillance Video
Remotely exploitableAuthentication requiredLow complexity attackCritical severity (CVSS 9.9)Affects multiple versions over 3+ yearsCode execution capability
Exploitability
Moderate exploit probability (EPSS 1.9%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
Siveillance Video 2020 R2<vers:/ V20.2 HotfixRev1420.2 HotfixRev14
Siveillance Video 2020 R3<vers:/ V20.3 HotfixRev1220.3 HotfixRev12
Siveillance Video 2021 R1<vers:/ V21.1 HotfixRev1221.1 HotfixRev12
Siveillance Video 2021 R2<vers:/ V21.2 HotfixRev821.2 HotfixRev8
Siveillance Video 2022 R1<vers:/ V22.1 HotfixRev722.1 HotfixRev7
Siveillance Video 2022 R2<vers:/ V22.2 HotfixRev522.2 HotfixRev5
Siveillance Video 2022 R3<vers:/ V22.3 HotfixRev222.3 HotfixRev2
Siveillance Video 2023 R1<vers:/ V23.1 HotfixRev123.1 HotfixRev1
Remediation & Mitigation
0/10
Do now
0/1HARDENINGRestrict network access to Event Server and Management Server ports using firewalls; allow only authorized management workstations and systems
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
Siveillance Video 2020 R2
HOTFIXUpdate Siveillance Video 2020 R2 to V20.2 HotfixRev14 or later on all Event Server and Management Server instances
Siveillance Video 2020 R3
HOTFIXUpdate Siveillance Video 2020 R3 to V20.3 HotfixRev12 or later on all Event Server and Management Server instances
Siveillance Video 2021 R1
HOTFIXUpdate Siveillance Video 2021 R1 to V21.1 HotfixRev12 or later on all Event Server and Management Server instances
Siveillance Video 2021 R2
HOTFIXUpdate Siveillance Video 2021 R2 to V21.2 HotfixRev8 or later on all Event Server and Management Server instances
Siveillance Video 2022 R1
HOTFIXUpdate Siveillance Video 2022 R1 to V22.1 HotfixRev7 or later on all Event Server and Management Server instances
Siveillance Video 2022 R2
HOTFIXUpdate Siveillance Video 2022 R2 to V22.2 HotfixRev5 or later on all Event Server and Management Server instances
Siveillance Video 2022 R3
HOTFIXUpdate Siveillance Video 2022 R3 to V22.3 HotfixRev2 or later on all Event Server and Management Server instances
Siveillance Video 2023 R1
HOTFIXUpdate Siveillance Video 2023 R1 to V23.1 HotfixRev1 or later on all Event Server and Management Server instances
Long-term hardening
0/1HARDENINGIsolate Siveillance Video infrastructure from the business network and Internet-facing networks
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2d244408-5cf5-4b69-be44-46b659e0e5a2