Full Report
Several camera device drivers in the Siveillance Video Device Pack contain a buffer overflow vulnerability that could be exploited under strict conditions. This could allow an attacker to execute code with the permissions of the Recording Server user. Siemens has released an update of the Device Pack recommends to apply this update to all deployments of Siveillance Video. In general, Siemens recommends installing the latest Device Pack which contains the most up-to-date device drivers.
Analysis Summary
# Vulnerability: Buffer Overflow in Siveillance Video Device Pack Camera Drivers
## CVE Details
- **CVE ID:** CVE-2024-3506
- **CVSS Score:**
- **v4.0:** 7.3 (High)
- **v3.1:** 6.7 (Medium)
- **CWE:** CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
## Affected Systems
- **Products:** Siveillance Video Device Pack (used with Siveillance Video/VMS Core, Core Plus, Advanced, and Pro)
- **Versions:** All versions prior to V13.2
- **Configurations:** Systems where the Recording Server is configured to scan for or add new camera devices from the internal network.
## Vulnerability Description
Selected camera drivers within the Siveillance Video Device Pack (derived from the XProtect Device Pack) fail to properly validate input sizes during data copying operations. This leads to a classic buffer overflow. If a malicious or compromised device on the network provides crafted responses during discovery or interaction, it can trigger the overflow within the driver process.
## Exploitation
- **Status:** Not reported as exploited in the wild; no Public PoC currently identified.
- **Complexity:** High (Exploitation occurs only under "strict conditions" and requires specific user interaction/timing).
- **Attack Vector:** Adjacent (Attacker must have access to the internal network where cameras/recording servers reside).
## Impact
- **Confidentiality:** High (Potential to execute code with the permissions of the Recording Server user).
- **Integrity:** High (Unauthorized command execution on the Recording Server).
- **Availability:** Low (Possible service disruption or crash of the Recording Server).
## Remediation
### Patches
- **Siveillance Video Device Pack:** Update to **V13.2** or later.
- Download via Siemens Support: hxxps[://]support[.]industry[.]siemens[.]com/cs/ww/en/view/109761843/
### Workarounds
- **Strict IP Scanning:** When adding new cameras to the system, only scan IP addresses that are confirmed to be valid and belong to trusted hardware.
- **Network Segmentation:** Ensure the camera network is isolated from the general corporate network to prevent unauthorized adjacent access.
## Detection
- **Indicators of Compromise:** Unexpected crashes of the Recording Server service (RecordingServer.exe) or unusual outbound network traffic from the Recording Server.
- **Detection Methods:** Monitor for unauthorized devices attempting to spoof camera discovery protocols on the VMS network segment. Use vulnerability scanners to identify outdated Device Pack versions.
## References
- **Siemens Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-438590[.]pdf
- **Milestone Security Advisory:** hxxps[://]supportcommunity[.]milestonesys[.]com/s/article/CVE-2024-3506-Camera-Driver-possible-Buffer-Overflow
- **Siemens ProductCERT:** hxxps[://]www[.]siemens[.]com/cert/advisories