Use of Hard-coded Cryptographic Key in Siveillance Video Open Network Bridge - CVE-2021-27392
Published: April 14, 2021
Vulnerability identifier: #VU52218
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-27392
CWE-ID: CWE-321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Siveillance Video Open Network Bridge
Siveillance Video Open Network Bridge
Software vendor:
Siemens
Siemens
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected Open Network Bridges store user credentials for the authentication between ONVIF clients and the ONVIF server using a hard-coded key. A remote authenticated attacker can retrieve and decrypt all credentials stored on the ONVIF server.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.