CVE-2019-18339
📋 TL;DR
This vulnerability allows remote attackers to bypass authentication on SiNVR/SiVMS Video Server and access the user database containing obfuscated passwords. All versions before V5.0.0 are affected when the HTTP service (port 5401/tcp) is accessible.
💻 Affected Systems
- SiNVR Video Server
- SiVMS Video Server
📦 What is this software?
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of video surveillance system, credential theft enabling lateral movement, and potential physical security breach.
Likely Case
Unauthorized access to video feeds, user credential theft, and potential system manipulation.
If Mitigated
Limited impact if system is isolated behind firewalls with strict network segmentation.
🎯 Exploit Status
Simple HTTP request to bypass authentication and access user database.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V5.0.0 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf
Restart Required: Yes
Instructions:
1. Download V5.0.0 or later from Siemens support portal. 2. Backup configuration and data. 3. Install update following vendor documentation. 4. Restart service/system.
🔧 Temporary Workarounds
Network Isolation
allBlock access to vulnerable HTTP service (port 5401/tcp) from untrusted networks.
netsh advfirewall firewall add rule name="Block SiVMS Port" dir=in action=block protocol=TCP localport=5401
iptables -A INPUT -p tcp --dport 5401 -j DROP
Access Control Lists
allRestrict access to port 5401 to only trusted management IP addresses.
netsh advfirewall firewall add rule name="Restrict SiVMS" dir=in action=allow protocol=TCP localport=5401 remoteip=192.168.1.0/24
iptables -A INPUT -p tcp --dport 5401 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5401 -j DROP
🧯 If You Can't Patch
- Isolate system on dedicated VLAN with no internet access
- Implement strict firewall rules allowing only necessary traffic from trusted sources
🔍 How to Verify
Check if Vulnerable:
Check version in SiVMS/SiNVR web interface or installation directory. If version < 5.0.0, system is vulnerable.Check Version:
Check web interface at http://[server]:5401 or examine installed program version in Windows Control Panel.Verify Fix Applied:
Confirm version is V5.0.0 or later in system settings and test authentication bypass attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to user database endpoints
- Multiple failed authentication attempts followed by successful access
Network Indicators:
- HTTP requests to port 5401 accessing /users or similar database endpoints without authentication headers
SIEM Query:
source_port=5401 AND (uri_path CONTAINS "users" OR uri_path CONTAINS "database") AND NOT (http_auth EXISTS)