Multiple Vulnerabilities in SiNVR/SiVMS Video Server

Plan Patch7.5SSA-844761Mar 10, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SiNVR/SiVMS Video Server versions before 5.0.2 contain five vulnerabilities: information disclosure (CVE-2019-19291, CVE-2019-19299), path traversal (CVE-2019-19296, CVE-2019-19297), and denial-of-service (CVE-2019-19298). These allow unauthenticated remote access to sensitive files and configuration data. CVE-2019-19299 has no permanent fix available. Siemens (via OEM partner PKE) has released patches for versions up to 5.0.2, but users on 5.0.2 or later with CVE-2019-19299 should contact PKE for interim mitigations.

What this means

What could happen

An attacker could read sensitive files (configuration, credentials, logs) from the video server or manipulate file paths to access restricted directories, potentially exposing surveillance system configuration and operator credentials. One information disclosure vulnerability has no permanent fix.

Who's at risk

Organizations operating Siemens SiNVR or SiVMS video surveillance systems should care about this—surveillance is often critical infrastructure for site security, emergency response, and evidence collection in water utilities and electric substations. The affected Video Server handles video recording, configuration, and operator credentials.

How it could be exploited

An attacker on the network sends a specially crafted HTTP request to the unauthenticated video server to read files outside the intended directory or to disclose configuration data. No credentials or user interaction are required. The attacker can identify and exploit the vulnerabilities remotely to extract sensitive information stored on the server.

Prerequisites

Network access to the SiNVR/SiVMS Video Server over HTTP/HTTPS
No authentication required
Video Server running a vulnerable version below 5.0.2

remotely exploitableno authentication requiredlow complexityinformation disclosure (credential exposure)one unpatched vulnerability (CVE-2019-19299)

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SiNVR/SiVMS Video Server<V5.0.05.0.0

SiNVR/SiVMS Video Server≥ V5.0.0<V5.0.25.0.2

SiNVR/SiVMS Video Server≥ V5.0.25.0.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDFor users unable to upgrade to 5.0.2, contact PKE for information on CVE-2019-19299 (information disclosure with no permanent fix) and apply available interim controls

HARDENINGRestrict network access to the Video Server using a firewall—only authorized workstations and management interfaces should reach ports used by the Video Server

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SiNVR/SiVMS Video Server

HOTFIXUpdate SiNVR/SiVMS Video Server to version 5.0.2 or later

All products

HARDENINGRotate all credentials (operator passwords, database credentials) stored on or managed by the Video Server after patching, as sensitive information may have been exposed

CVEs (5)

CVE-2019-19291 CVE-2019-19296 CVE-2019-19297 CVE-2019-19298 CVE-2019-19299

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/882a96ac-c4ad-4594-a654-34b2216946a6