Show vulnerabilities with patch / with exploit

Multiple vulnerabilities in Siemens SiNVR 3



Published: 2019-12-13
Severity High
Patch available NO
Number of vulnerabilities 7
CVE ID CVE-2019-13947
CVE-2019-18337
CVE-2019-18338
CVE-2019-18339
CVE-2019-18340
CVE-2019-18341
CVE-2019-18342
CWE ID CWE-319
CWE-287
CWE-22
CWE-306
CWE-310
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
SiNVR 3 Central Control Server (CCS)
Server applications / SCADA systems

SiNVR 3 Video Server
Server applications / SCADA systems

Vendor Siemens

Security Advisory

1) Cleartext transmission of sensitive information

Severity: Medium

CVSSv3: 4.5 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-13947

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the user configuration menu in the web interface transfers user passwords in cleartext to the client (browser). A remote authenticated administrator with ability to intercept network traffic can gain access to sensitive data.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SiNVR 3 Central Control Server (CCS): -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Authentication

Severity: Medium

CVSSv3: 6.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-18337

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. A remote attacker can bypass authentication process and read the CCS users database, including the passwords of all users in obfuscated cleartext.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SiNVR 3 Central Control Server (CCS): -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Path traversal

Severity: High

CVSSv3: 7.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-18338

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. A remote authenticated attacker can send a specially crafted HTTP request and list arbitrary directories or read files outside of the CCS application context.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SiNVR 3 Central Control Server (CCS): -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Missing Authentication for Critical Function

Severity: Medium

CVSSv3: 6.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-18339

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists due to the HTTP service (default port 5401/tcp) contains an authentication bypass vulnerability. A remote attacker can read the SiNVR users database, including the passwords of all users in obfuscated cleartext.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SiNVR 3 Video Server: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cryptographic issues

Severity: Low

CVSSv3: 5.1 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-18340

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information on the target system.

The vulnerability exists due to the affected software stores user and device passwords by applying weak cryptography. A local user can extract the passwords from the user database and/or the device configuration files.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SiNVR 3 Central Control Server (CCS): -

SiNVR 3 Video Server: -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper Authentication

Severity: Medium

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-18341

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the SFTP service (default port 22/tcp). A remote attacker can bypass authentication process and read data from the EDIR directory, e.g. the list of all configured stations.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SiNVR 3 Central Control Server (CCS): -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Path traversal

Severity: High

CVSSv3: 9.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2019-18342

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the SFTP service. A remote authenticated attacker can send a specially crafted SFTP request and read arbitrary files on the system.

Note: In conjunction with CVE-2019-18341, an unauthenticated remote attacker with network access to the CCS server can exploit this vulnerability to read or delete arbitrary files, or access other resources on the same server.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SiNVR 3 Central Control Server (CCS): -

CPE External links

https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.