Lucene search

SiemensCVE-2019-18340

HistoryDec 12, 2019 - 7:15 p.m.

CVE-2019-18340

2019-12-1219:15:20

CWE-327

siemens

web.nvd.nist.gov

cve-2019-18340

vulnerability

control center server

ccs

sinvr

sivms

password extraction

weak cryptography

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), Control Center Server (CCS) (All versions >= V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0), SiNVR/SiVMS Video Server (All versions >= V5.0.0). Both the SiVMS/SiNVR Video Server and the Control Center Server (CCS) store
user and device passwords by applying weak cryptography.

A local attacker could exploit this vulnerability to extract
the passwords from the user database and/or the device configuration files
to conduct further attacks.

Affected configurations

Nvd

Node

siemenssinvr_3_central_control_server

siemenssinvr_3_video_server

VendorProductVersionCPE
siemenssinvr_3_central_control_server*cpe:2.3:a:siemens:sinvr_3_central_control_server:*:*:*:*:*:*:*:*
siemenssinvr_3_video_server*cpe:2.3:a:siemens:sinvr_3_video_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
siemens	sinvr_3_central_control_server	*	cpe:2.3:a:siemens:sinvr_3_central_control_server::::::::
siemens	sinvr_3_video_server	*	cpe:2.3:a:siemens:sinvr_3_video_server::::::::

CNA Affected

[
  {
    "vendor": "Siemens",
    "product": "Control Center Server (CCS)",
    "versions": [
      {
        "version": "All versions < V1.5.0",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "Control Center Server (CCS)",
    "versions": [
      {
        "version": "All versions >= V1.5.0",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SiNVR/SiVMS Video Server",
    "versions": [
      {
        "version": "All versions < V5.0.0",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "SiNVR/SiVMS Video Server",
    "versions": [
      {
        "version": "All versions >= V5.0.0",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf

Social References

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVE-2019-18340