Full Report
The Video Server application in SiNVR/SiVMS solutions contains two vulnerabilities involving authentication bypass (CVE-2019-18339) and information disclosure (CVE-2019-18340). PKE has released an update of the application that fixes CVE-2019-18339. This update is not available under the former Siemens OEM brand name SiNVR. For details contact PKE (https://pke.at/). Siemens recommends specific countermeasures to mitigate the vulnerabilities.
Analysis Summary
# Vulnerability: Authentication Bypass and Information Disclosure in SiNVR/SiVMS Video Server
## CVE Details
- **CVE ID:** CVE-2019-18339, CVE-2019-18340
- **CVSS Score:**
- CVE-2019-18339: 9.8 (Critical)
- CVE-2019-18340: 5.5 (Medium)
- **CWE:**
- CWE-306: Missing Authentication for Critical Function (CVE-2019-18339)
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm (CVE-2019-18340)
## Affected Systems
- **Products:** SiNVR/SiVMS Video Server (formerly Siemens OEM, currently PKE Deutschland GmbH). *Note: Not to be confused with Siveillance VMS.*
- **Versions:** All versions; specific mention of <= V5.0.0 for CVE-2019-18340.
- **Configurations:** Systems utilizing the HTTP service (default port 5401/tcp) and those using the optional Control Center Server (CCS).
## Vulnerability Description
- **CVE-2019-18339:** The Video Server's HTTP service fails to properly enforce authentication. A remote attacker can bypass security controls to read the user database. This database contains user passwords stored in obfuscated cleartext.
- **CVE-2019-18340:** The Video Server and CCS components utilize weak cryptography to store user and device passwords. This allows an attacker to extract credentials from database or configuration files.
## Exploitation
- **Status:** PoC available (Functional exploits indicated by CVSS "E:F").
- **Complexity:** Low
- **Attack Vector:**
- CVE-2019-18339: Network (Remote)
- CVE-2019-18340: Local
## Impact
- **Confidentiality:** High (Exposure of user and device passwords in cleartext/weakly encrypted formats).
- **Integrity:** High (Potential for unauthorized system access via stolen credentials).
- **Availability:** High (Full system compromise possible via bypass).
## Remediation
### Patches
- **PKE SiVMS:** PKE has released an update fixing CVE-2019-18339. Users must contact PKE directly for the update (hxxps://pke[.]at/).
- **Siemens SiNVR:** No fix is planned for the Siemens-branded OEM version as it is no longer distributed or supported beyond version 3.
### Workarounds
- **Network Segmentation:** Apply ACLs or firewalls to restrict access to Video Server ports (specifically 5401/tcp) to authorized systems only.
- **Authentication Configuration:** For CVE-2019-18339, ensure the "Authorization Server" is explicitly set to "Control Center Server" in the application settings (Configuration -> Appearance -> Desktop).
- **Host Hardening:** For CVE-2019-18340, strictly limit local access to the Video Server host to prevent unauthorized users from accessing database files.
## Detection
- **Indicators of Compromise:** Unauthorized HTTP GET requests to port 5401/tcp targeting user database files.
- **Detection Methods:** Monitor network traffic for unusual access to the Video Server management ports from unrecognized IP addresses. Audit local file access logs for sensitive configuration and database files.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-761617.pdf
- **CCS Specific Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-761844.pdf
- **Vendor Contact:** hxxps://pke[.]at/