Multiple vulnerabilities in Siemens SiNVR 3
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2019-13947 CVE-2019-18337 CVE-2019-18338 CVE-2019-18339 CVE-2019-18340 CVE-2019-18341 CVE-2019-18342 |
| CWE-ID | CWE-319 CWE-287 CWE-22 CWE-306 CWE-310 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SiNVR 3 Central Control Server (CCS) Server applications / SCADA systems SiNVR 3 Video Server Server applications / SCADA systems |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Cleartext transmission of sensitive information
EUVDB-ID: #VU23595
Risk: Medium
CVSSv3.1: 4.5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-13947
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the user configuration menu in the web interface transfers user passwords in cleartext to the client (browser). A remote authenticated administrator with ability to intercept network traffic can gain access to sensitive data.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSiNVR 3 Central Control Server (CCS): All versions
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Authentication
EUVDB-ID: #VU23596
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-18337
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in the XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. A remote attacker can bypass authentication process and read the CCS users database, including the passwords of all users in obfuscated cleartext.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSiNVR 3 Central Control Server (CCS): All versions
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Path traversal
EUVDB-ID: #VU23597
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-18338
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. A remote authenticated attacker can send a specially crafted HTTP request and list arbitrary directories or read files outside of the CCS application context.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSiNVR 3 Central Control Server (CCS): All versions
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Missing Authentication for Critical Function
EUVDB-ID: #VU23599
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-18339
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due to the HTTP service (default port 5401/tcp) contains an authentication bypass vulnerability. A remote attacker can read the SiNVR users database, including the passwords of all users in obfuscated cleartext.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSiNVR 3 Video Server: All versions
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cryptographic issues
EUVDB-ID: #VU23602
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-18340
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information on the target system.
The vulnerability exists due to the affected software stores user and device passwords by applying weak cryptography. A local user can extract the passwords from the user database and/or the device configuration files.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSiNVR 3 Central Control Server (CCS): All versions
SiNVR 3 Video Server: All versions
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Authentication
EUVDB-ID: #VU23603
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-18341
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in the SFTP service (default port 22/tcp). A remote attacker can bypass authentication process and read data from the EDIR directory, e.g. the list of all configured stations.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSiNVR 3 Central Control Server (CCS): All versions
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Path traversal
EUVDB-ID: #VU23604
Risk: High
CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-18342
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the SFTP service. A remote authenticated attacker can send a specially crafted SFTP request and read arbitrary files on the system.
Note: In conjunction with CVE-2019-18341, an unauthenticated remote attacker with network access to the CCS server can exploit this vulnerability to read or delete arbitrary files, or access other resources on the same server.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsSiNVR 3 Central Control Server (CCS): All versions
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
