Full Report
The Video Server application in SiNVR/SiVMS solutions contains five vulnerabilities involving information disclosure (CVE-2019-19291, CVE-2019-19299), path traversal (CVE-2019-19296, CVE-2019-19297), and denial-of-service (CVE-2019-19298). PKE has released updates of the application that fixes the reported vulnerabilities, except for CVE-2019-19299. This update is not available under the former Siemens OEM brand name SiNVR. For details contact PKE (https://pke.at/).
Analysis Summary
# Vulnerability: Multiple Flaws in SiNVR/SiVMS Video Server
## CVE Details
- **CVE ID:** CVE-2019-19291, CVE-2019-19296, CVE-2019-19297, CVE-2019-19298, CVE-2019-19299
- **CVSS Score:** Up to 7.5 (High)
- **CWE:**
- CWE-313 (Cleartext Storage)
- CWE-22 (Path Traversal)
- CWE-20 (Improper Input Validation)
- CWE-326 (Inadequate Encryption Strength)
## Affected Systems
- **Products:** SiNVR/SiVMS Video Server (formerly Siemens OEM, currently PKE Deutschland GmbH)
- **Versions:** All versions prior to v5.0.0; CVE-2019-19299 affects all versions up to and including v5.0.2.
- **Configurations:** Systems with FTP services (ports 21/tcp, 5411/tcp) or streaming services (port 5410/tcp) enabled.
## Vulnerability Description
The Video Server application contains five distinct security flaws:
1. **Information Disclosure (CVE-2019-19291):** FTP log files store login credentials in cleartext.
2. **Path Traversal (CVE-2019-19296):** Authenticated attackers can download arbitrary files via FTP services.
3. **Path Traversal (CVE-2019-19297):** Unauthenticated attackers can download arbitrary files via the streaming service.
4. **Denial of Service (CVE-2019-19298):** Malformed HTTP requests to the streaming service can cause a DoS condition.
5. **Weak Cryptography (CVE-2019-19299):** The streaming service uses inadequate encryption for camera passwords, allowing they be decrypted by unauthenticated attackers.
## Exploitation
- **Status:** PoC Available (indicated by "E:P" in CVSS vectors).
- **Complexity:** Low to Medium (depending on the specific CVE).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Extraction of cleartext credentials, arbitrary file access, and decrypted camera passwords).
- **Integrity:** High (Authenticated file manipulation possible via CVE-2019-19296).
- **Availability:** High (Remote Denial of Service).
## Remediation
### Patches
- **PKE SiVMS Update:** Versions v5.0.0 and v5.0.2 address most vulnerabilities.
- **Note:** Updates are **not** available under the legacy Siemens SiNVR brand. Users must contact PKE for the updated SiVMS software.
- **Unpatched:** There is currently no planned fix for **CVE-2019-19299** (Weak Cryptography).
### Workarounds
- **Network Segmentation:** Apply ACLs/Firewalls to restrict access to Video Server ports (21, 5410, 5411) to authorized systems only.
- **Service Disabling:** Disable the two FTP services if not strictly required (Mitigates CVE-2019-19291 and CVE-2019-19296).
- **Security Hardening:** Use TLS or IPSec to encrypt and authenticate network traffic.
- **Credential Management:** For CVE-2019-19298, upgrade to v5.0.2 and enable the "additional authentication feature" for individual stream recorders.
## Detection
- **Indicators of Compromise:** Review FTP logs for unauthorized access or unusual path traversal patterns (e.g., `../`). Monitor for malformed HTTP requests causing service crashes on port 5410/tcp.
- **Detection Methods:** Vulnerability scanners targeting the specific ports; monitoring for cleartext credentials in local log file directories.
## References
- **Vendor Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-844761[.]html
- **PKE Official Site:** hxxps[://]pke[.]at/
- **Related CCS Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-761844[.]html