Command Injection Vulnerability in Siveillance OIS Affecting Several Building Management Systems

Act Now10SSA-535380Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Siveillance Open Interface Services (OIS) application, used for integration of subsystems in Siemens building management systems, contains a command injection vulnerability (CWE-78). An unauthenticated remote attacker can execute arbitrary code with root privileges by sending a specially crafted request to the OIS service. This affects Desigo CC, GMA-Manager, Operation Scheduler, Siveillance Control, and Siveillance Control Pro when running the OIS extension module.

What this means

What could happen

An unauthenticated attacker on the network could execute arbitrary commands with root privileges on building management systems, potentially disrupting HVAC, lighting, access control, and other facility operations.

Who's at risk

Building operations staff and facility managers at organizations running Siemens building management systems, particularly those using Desigo CC, GMA-Manager, Operation Scheduler, Siveillance Control, or Siveillance Control Pro. This affects HVAC, lighting, power distribution, access control, and other automated facility systems in office buildings, data centers, hospitals, and industrial facilities.

How it could be exploited

An attacker sends a specially crafted request to the Siveillance OIS service over the network, injecting shell commands into a parameter that the OIS processes without proper sanitization. The OIS runs these commands with root privileges, giving the attacker full control of the building management system.

Prerequisites

Network access to the OIS service (typically HTTP/HTTPS on the BMS server)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackRuns with root/administrator privilegesHigh CVSS (10.0)Affects building safety and life safety systemsAffects multiple product lines

Exploitability

Moderate exploit probability (EPSS 4.6%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Desigo CCAll versions with OIS Extension ModuleOIS v2.5.3 or later / OIS v2.6.1 or later with patch

Operation SchedulerAll versions with OIS running on Debian 9 or earlierOIS v2.5.3 or later / OIS v2.6.0 or later with patch

Siveillance ControlAll versions with OIS running on Debian 9 or earlierOIS v2.5.3 or later / OIS v2.6.0 or later with patch

GMA-ManagerAll versions with OIS running on Debian 9 or earlierOIS v2.5.3 or later / OIS v2.6.1 or later with patch

Siveillance Control ProAll versionsOIS v2.5.3 or later / OIS v2.6.0 or later with patch

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to OIS service to only authorized engineering and management workstations using firewall rules or network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Siveillance OIS to version 2.5.3 or later, or apply the vendor patch if available

Long-term hardening

0/1

HARDENINGPlace the OIS service on a dedicated VLAN separate from standard building networks and limit ingress to management consoles only

CVEs (1)

CVE-2021-31891

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4673c58d-bf41-4c00-828c-e8b24231bf27