Full Report
The advisory informs about multiple vulnerabilities in the Central Control Server (CCS) application, as initially reported in SSA-761617 (https://cert-portal.siemens.com/productcert/html/ssa-761617.html) on 2019-12-10 and SSA-844761 (https://cert-portal.siemens.com/productcert/html/ssa-844761.html) on 2020-03-10. The vulnerabilities involve authentication bypass (CVE-2019-18337, CVE-2019-18341), path traversal (CVE-2019-18338, CVE-2019-19290), information disclosure (CVE-2019-13947, CVE-2019-18340, CVE-2019-19291), privilege escalation (CVE-2019-18342), SQL injection (CVE-2019-19292), cross-site scripting (CVE-2019-19293, CVE-2019-19294), and insufficient logging (CVE-2019-19295). PKE has released an update for CCS that fixes the reported vulnerabilities, except for CVE-2019-18340. For details contact PKE (https://pke.at/). Siemens recommends to update to the latest version and recommends specific countermeasures to mitigate the vulnerabilities.
Analysis Summary
# Vulnerability: Multiple Flaws in PKE Control Center Server (CCS)
## CVE Details
- **CVE ID:** CVE-2019-18337 (Primary Critical), CVE-2019-13947, CVE-2019-18338, CVE-2019-18340, CVE-2019-18341, CVE-2019-18342, CVE-2019-19290, CVE-2019-19291, CVE-2019-19292, CVE-2019-19293, CVE-2019-19294, CVE-2019-19295.
- **CVSS Score:** 9.9 (Critical) - Maximum aggregate score
- **CWE:** CWE-317, CWE-287 (Auth Bypass), CWE-22 (Path Traversal), CWE-89 (SQLi), CWE-79 (XSS), CWE-778 (Insufficient Logging).
## Affected Systems
- **Products:** Control Center Server (CCS) - An optional central server component for PKE management solutions (SiNVR/SiVMS).
- **Versions:**
- All versions prior to V1.5.0.
- CVE-2019-18340 affects all versions including V1.5.0 (No fix planned).
- **Configurations:** Systems with ports 5444/tcp, 5440/tcp, or the web interface exposed to untrusted networks.
## Vulnerability Description
The Central Control Server (CCS) suffers from a suite of vulnerabilities primarily residing in its XML-based communication protocol and web management interface.
- **Authentication Bypass (CVE-2019-18337):** The most severe flaw allows remote attackers to bypass authentication on the XML protocol (ports 5444/5440) to extract the entire user database, including obfuscated cleartext passwords.
- **Path Traversal:** Allows unauthorized file access via manipulated I/O requests.
- **Information Disclosure:** Sensitive data, including passwords, are transmitted in cleartext to the browser or stored insecurely.
- **Injection Flaws:** Includes SQL Injection (SQLi) and Cross-Site Scripting (XSS) in the web interface.
## Exploitation
- **Status:** PoC available / Functional exploit exists (CVSS Exploit Code Maturity: Functional/P).
- **Complexity:** Low
- **Attack Vector:** Network (Most CVEs) / Local (CVE-2019-18340)
## Impact
- **Confidentiality:** High (Full database access, cleartext passwords)
- **Integrity:** High (Ability to modify configurations and database entries)
- **Availability:** High (Potential for service disruption via administrative commands)
## Remediation
### Patches
- **CCS V1.5.0:** Fixes all listed vulnerabilities except CVE-2019-18340. Users must contact PKE directly for update files as Siemens no longer distributes this software.
### Workarounds
- **Network Segmentation:** Apply ACLs/Firewalls to restrict access to ports 5444/tcp and 5440/tcp to legitimate systems only.
- **Service Disabling:** Disable the CCS Web Interface and FTP service if they are not strictly required for operations.
- **Internal Hardening:** For CVE-2019-18340, restrict physical and local OS access to the server to prevent unauthorized local users from exploiting information disclosure flaws.
- **Encryption:** Implement TLS for the web interface and consider IPSec for host-to-host communication.
## Detection
- **Indicators of Compromise:** Large outbound data transfers on ports 5444/5440; unexpected administrative logins; presence of directory traversal strings (`../`) in web server logs.
- **Detection methods:** Monitor for unauthorized XML-based requests to the CCS ports from unrecognized IP addresses.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/html/ssa-761844.html](https://cert-portal.siemens.com/productcert/html/ssa-761844.html)
- **PKE Contact:** [https://pke[.]at/](https://pke[.]at/)
- **Original Research:** Raphaël Rigo (Airbus Security Lab)