OTPulse
FeedAboutContact

Multiple Access Control Vulnerabilities in Siveillance Identity before V1.6.284.0

Plan Patch7.5SSA-463116Dec 14, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Siveillance Identity contains multiple access control vulnerabilities (CWE-668) that allow an unauthenticated remote attacker to access or modify internal application resources. Affected versions: V1.5 (all), V1.6 (< V1.6.284.0). Vendor has released patches.

What this means
What could happen
An attacker could access or modify internal application resources in your Siveillance Identity system without credentials, potentially compromising identity and access control data used to manage facility security systems.
Who's at risk
Facilities operators and security teams running Siemens Siveillance Identity V1.5 or V1.6 (before V1.6.284.0) should prioritize this. Siveillance Identity is commonly used in access control, security integration, and identity management systems in water utilities, power plants, and other critical infrastructure facilities.
How it could be exploited
An unauthenticated attacker on the network sends requests to Siveillance Identity to directly access or modify internal application resources that should be protected by access controls. The lack of proper authentication checks allows the attacker to read sensitive data or alter access control configurations.
Prerequisites
  • Network reachability to Siveillance Identity application interface
  • No credentials required
remotely exploitableno authentication requiredlow complexityhigh CVSS score (7.5)
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Siveillance Identity V1.5All versions1.6.284.0
Siveillance Identity V1.6< V1.6.284.01.6.284.0
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict network access to Siveillance Identity to trusted engineering workstations and control network segments only; implement firewall rules to block external connections
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Siveillance Identity to V1.6.284.0 or later
HOTFIXIf V1.6.284.0 upgrade is not immediately possible, update to V1.5 SP4 and apply the Credential Patch Tool (https://support.industry.siemens.com/cs/ww/en/view/109801824/)
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c8c30627-5865-42ca-a790-86e4d860dd12
Multiple Access Control Vulnerabilities in Siveillance Identity before V1.6.284.0 | CVSS 7.5 - OTPulse