MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-175

DATE(S) ISSUED:
11/21/16

SUBJECT:
A Vulnerability in Vanderbilt Industries Siemens IP CCTV Cameras Could Allow for Administrative Credentials Disclosure

OVERVIEW:A vulnerability has been discovered in Vanderbilt Industries Siemens IP CCTV cameras that could allow for administrative credentials disclosure. The SIEMENS-branded IP-based CCTV cameras portfolio includes a range of megapixel cameras in various configuration and mounting options. According to Vanderbilt, these products are deployed across several sectors including commercial facilities, healthcare and public health, and government facilities. Vanderbilt estimates that these products are used worldwide. Successful exploitation of this vulnerability could allow an attacker to retrieve the administrative credentials for the affected device. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEM AFFECTED:

  • CCMW3025: All versions prior to 1.41_SP18_S1
  • CVMW3025-IR: All versions prior to 1.41_SP18_S1
  • CFMW3025: All versions prior to 1.41_SP18_S1
  • CCPW3025: All versions prior to 0.1.73_S1
  • CCPW5025: All versions prior to 0.1.73_S1
  • CCMD3025-DN18: All versions prior to v1.394_S1
  • CCID1445-DN18: All versions prior to v2635
  • CCID1445-DN28: All versions prior to v2635
  • CCID1445-DN36: All versions prior to v2635
  • CFIS1425: All versions prior to v2635
  • CCIS1425: All versions prior to v2635
  • CFMS2025: All versions prior to v2635
  • CCMS2025: All versions prior to v2635
  • CVMS2025-IR: All versions prior to v2635
  • CFMW1025: All versions prior to v2635
  • CCMW1025: All versions prior to v2635

RISK:

Government:

  • Large and medium government entities:High
  • Small government entities:High

Businesses:

  • Large and medium business entities:High
  • Small business entities: High

Home users: N/A

TECHNICAL SUMMARY:

A vulnerability has been discovered in Vanderbilt Industries Siemens IP CCTV Cameras that could allow for administrative credentials disclosure. The vulnerability can be exploited when an attacker sends specially crafted requests to the camera’s web server.

Successful exploitation of this vulnerability could allow an attacker to retrieve the administrative credentials for the affected device. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Install the updates provided by Siemens immediately after appropriate testing.
  • Until patches can be applied, restricting access to the integrated web server with appropriate mechanisms is recommended.
  • Operate the devices within trusted network
  • Enable authentication on the web server
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Siemens Security Advisory by Siemens Product CERT:
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-284765.pdf

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9155

ICS-CERT:
https://ics-cert.us-cert.gov/advisories/ICSA-16-322-01

Redhat:

https://bugzilla.redhat.com/show_bug.cgi?id=1391818

https://rhn.redhat.com/errata/RHSA-2016-2779.html

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5285

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5289

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5290

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5291

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5292

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5293

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5294

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5295

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5296

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5297

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5298

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5299

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8635

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9061

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9062

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9064

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9065

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9066

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9067

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9068

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9069

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9070

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9071

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9072

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9073

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9074

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9075

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9076

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9077