Lucene search

[email protected]CVE-2021-27392

HistoryApr 22, 2021 - 9:15 p.m.

CVE-2021-27392

2021-04-2221:15:10

CWE-798

CWE-321

[email protected]

web.nvd.nist.gov

cve-2021-27392

vulnerability

siveillance

video

open network bridge

authentication

onvif

remote attacker

nvd

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.5%

JSON

A vulnerability has been identified in Siveillance Video Open Network Bridge (2020 R3), Siveillance Video Open Network Bridge (2020 R2), Siveillance Video Open Network Bridge (2020 R1), Siveillance Video Open Network Bridge (2019 R3), Siveillance Video Open Network Bridge (2019 R2), Siveillance Video Open Network Bridge (2019 R1), Siveillance Video Open Network Bridge (2018 R3), Siveillance Video Open Network Bridge (2018 R2). Affected Open Network Bridges store user credentials for the authentication between ONVIF clients and ONVIF server using a hard-coded key. The encrypted credentials can be retrieved via the MIP SDK. This could allow an authenticated remote attacker to retrieve and decrypt all credentials stored on the ONVIF server.

Affected configurations

NVD

Node

siemenssiveillance_video_open_network_bridgeMatch2018r2

siemenssiveillance_video_open_network_bridgeMatch2018r3

siemenssiveillance_video_open_network_bridgeMatch2019r1

siemenssiveillance_video_open_network_bridgeMatch2019r2

siemenssiveillance_video_open_network_bridgeMatch2019r3

siemenssiveillance_video_open_network_bridgeMatch2020r1

siemenssiveillance_video_open_network_bridgeMatch2020r2

siemenssiveillance_video_open_network_bridgeMatch2020r3

CPENameOperatorVersion
siemens:siveillance_video_open_network_bridgesiemens siveillance video open network bridgeeq2018
siemens:siveillance_video_open_network_bridgesiemens siveillance video open network bridgeeq2019
siemens:siveillance_video_open_network_bridgesiemens siveillance video open network bridgeeq2020

CPE	Name	Operator	Version
siemens:siveillance_video_open_network_bridge	siemens siveillance video open network bridge	eq	2018
siemens:siveillance_video_open_network_bridge	siemens siveillance video open network bridge	eq	2019
siemens:siveillance_video_open_network_bridge	siemens siveillance video open network bridge	eq	2020

CNA Affected

[
  {
    "product": "Siveillance Video Open Network Bridge",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "2020 R3"
      }
    ]
  },
  {
    "product": "Siveillance Video Open Network Bridge",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "2020 R2"
      }
    ]
  },
  {
    "product": "Siveillance Video Open Network Bridge",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "2020 R1"
      }
    ]
  },
  {
    "product": "Siveillance Video Open Network Bridge",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "2019 R3"
      }
    ]
  },
  {
    "product": "Siveillance Video Open Network Bridge",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "2019 R2"
      }
    ]
  },
  {
    "product": "Siveillance Video Open Network Bridge",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "2019 R1"
      }
    ]
  },
  {
    "product": "Siveillance Video Open Network Bridge",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "2018 R3"
      }
    ]
  },
  {
    "product": "Siveillance Video Open Network Bridge",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "2018 R2"
      }
    ]
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-853866.pdf

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.5%

JSON

Related for CVE-2021-27392

cvelist1 ics1 prion1 nvd1