Full Report
Both the Event Server and the Management Server components of Siveillance Video deserialize data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. Siemens has released updates for the affected products and recommends to update to the latest versions. The provided cumulative hotfix releases include the fixes for both Event Server (ES) and Management Server (MS). Ensure to apply the fixes on all relevant servers in your deployment.
Analysis Summary
# Vulnerability: Insecure Deserialization in Siemens Siveillance Video
## CVE Details
- **CVE ID:** CVE-2023-30898 (Event Server), CVE-2023-30899 (Management Server)
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-502: Deserialization of Untrusted Data
## Affected Systems
- **Products:** Siveillance Video (Core, Core Plus, Advanced, and Pro)
- **Versions:**
- 2020 R2: All versions < V20.2 HotfixRev14
- 2020 R3: All versions < V20.3 HotfixRev12
- 2021 R1: All versions < V21.1 HotfixRev12
- 2021 R2: All versions < V21.2 HotfixRev8
- 2022 R1: All versions < V22.1 HotfixRev7
- 2022 R2: All versions < V22.2 HotfixRev5
- 2022 R3: All versions < V22.3 HotfixRev2
- 2023 R1: All versions < V23.1 HotfixRev1
- **Configurations:** Systems running the Event Server (ES) or Management Server (MS) components.
## Vulnerability Description
The Event Server (CVE-2023-30898) and Management Server (CVE-2023-30899) components fail to sufficiently validate data during the deserialization process. Deserialization of untrusted data occurs when an application takes data from an external source and converts it back into an object without verifying that the data hasn't been tampered with. This flaw allows an attacker to inject malicious objects that, when processed by the server, execute arbitrary code.
## Exploitation
- **Status:** PoC available (indicated by CVSS "E:P" / Exploit Code Maturity: Proof-of-Concept).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Authentication:** Required (Low level privileges).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Scope:** Changed (The vulnerability can impact resources beyond the immediate security scope of the component).
## Remediation
### Patches
Siemens has released cumulative hotfixes for both ES and MS components. Users should update to the following versions or later:
- V20.2 HotfixRev14
- V20.3 HotfixRev12
- V21.1 HotfixRev12
- V21.2 HotfixRev8
- V22.1 HotfixRev7
- V22.2 HotfixRev5
- V22.3 HotfixRev2
- V23.1 HotfixRev1
### Workarounds
- No specific software workaround is provided.
- **General Mitigation:** Strictly limit and protect network access to the affected servers using firewalls and network segmentation to ensure the devices reside in a protected IT environment.
## Detection
- **Indicators of Compromise:** Monitor for unusual service account activity or unexpected outbound connections from the Management/Event Server processes.
- **Detection methods:** Inspect network traffic for unusual serialized objects directed toward ports utilized by the Event Server and Management Server. Audit system logs for unauthorized authenticated sessions.
## References
- Siemens Advisory SSA-789345: hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-789345[.]html
- Siemens ProductCERT: hxxps://www[.]siemens[.]com/cert/advisories
- Milestone ES Security Advisory: hxxps://supportcommunity[.]milestonesys[.]com/s/article/Milestone-ES-possible-Remote-Code-Execution-by-authenticated-user
- Milestone MS Security Advisory: hxxps://supportcommunity[.]milestonesys[.]com/s/article/Milestone-MS-possible-Remote-Code-Execution-by-authenticated-user