SB2019121312 - Multiple vulnerabilities in Siemens SiNVR 3

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019121312

SB2019121312 - Multiple vulnerabilities in Siemens SiNVR 3

Published: December 13, 2019 Updated: December 13, 2019

Security Bulletin ID SB2019121312
Severity
High
Patch available
NO
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 29% Medium 57% Low 14%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Cleartext transmission of sensitive information (CVE-ID: CVE-2019-13947)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the user configuration menu in the web interface transfers user passwords in cleartext to the client (browser). A remote authenticated administrator with ability to intercept network traffic can gain access to sensitive data.


2) Improper Authentication (CVE-ID: CVE-2019-18337)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. A remote attacker can bypass authentication process and read the CCS users database, including the passwords of all users in obfuscated cleartext.


3) Path traversal (CVE-ID: CVE-2019-18338)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. A remote authenticated attacker can send a specially crafted HTTP request and list arbitrary directories or read files outside of the CCS application context.


4) Missing Authentication for Critical Function (CVE-ID: CVE-2019-18339)

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists due to the HTTP service (default port 5401/tcp) contains an authentication bypass vulnerability. A remote attacker can read the SiNVR users database, including the passwords of all users in obfuscated cleartext.


5) Cryptographic issues (CVE-ID: CVE-2019-18340)

The vulnerability allows a local user to gain access to sensitive information on the target system.

The vulnerability exists due to the affected software stores user and device passwords by applying weak cryptography. A local user can extract the passwords from the user database and/or the device configuration files.


6) Improper Authentication (CVE-ID: CVE-2019-18341)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the SFTP service (default port 22/tcp). A remote attacker can bypass authentication process and read data from the EDIR directory, e.g. the list of all configured stations.


7) Path traversal (CVE-ID: CVE-2019-18342)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the SFTP service. A remote authenticated attacker can send a specially crafted SFTP request and read arbitrary files on the system.

Note: In conjunction with CVE-2019-18341, an unauthenticated remote attacker with network access to the CCS server can exploit this vulnerability to read or delete arbitrary files, or access other resources on the same server.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References