#VU25998 Insufficient Logging in SiNVR 3 Central Control Server (CCS) and SiNVR 3 Video Server
Vulnerability identifier: #VU25998
Vulnerability risk: Medium
CVSSv3.1: 4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-778
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
SiNVR 3 Central Control Server (CCS)
Server applications /
SCADA systems
SiNVR 3 Video Server
Server applications /
SCADA systems
Vendor: Siemens
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected device does not enforce logging of security-relevant activities in the XML-based communication protocol. A remote authenticated attacker can perform covert actions not visible in the application log.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
SiNVR 3 Central Control Server (CCS): All versions
SiNVR 3 Video Server: All versions
External links
http://cert-portal.siemens.com/productcert/pdf/ssa-844761.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
