CVE-2019-6580 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2019-6580?

CVE-2019-6580 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers with network access to port 80/TCP to modify device properties in Siemens Siveillance VMS systems. Successful exploitation compromises confidentiality, integrity, and availability of the video management system. Affected systems include Siveillance VMS 2017 R2 through 2019 R1 versions below specified patches.

📋 TL;DR

This vulnerability allows unauthenticated attackers with network access to port 80/TCP to modify device properties in Siemens Siveillance VMS systems. Successful exploitation compromises confidentiality, integrity, and availability of the video management system. Affected systems include Siveillance VMS 2017 R2 through 2019 R1 versions below specified patches.

💻 Affected Systems

Products:

Siveillance VMS 2017 R2
Siveillance VMS 2018 R1
Siveillance VMS 2018 R2
Siveillance VMS 2018 R3
Siveillance VMS 2019 R1

Versions: All versions below V11.2a (2017 R2), V12.1a (2018 R1), V12.2a (2018 R2), V12.3a (2018 R3), V13.1a (2019 R1)

Operating Systems: Windows-based systems running Siveillance VMS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations where the web service is enabled on port 80.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to disable security cameras, manipulate video feeds, exfiltrate sensitive footage, and disrupt physical security operations.

🟠

Likely Case

Unauthorized modification of camera settings, disabling of surveillance feeds, or manipulation of recording parameters to hide malicious activities.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to the vulnerable service.

🌐 Internet-Facing: HIGH - CVSS 9.8 indicates critical severity with no authentication required for exploitation.

🏢 Internal Only: HIGH - Even internally, any network access to port 80 could lead to system compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required, network access to port 80 is sufficient. No public exploitation known at advisory publication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V11.2a (2017 R2), V12.1a (2018 R1), V12.2a (2018 R2), V12.3a (2018 R3), V13.1a (2019 R1)

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-212009.pdf

Restart Required: Yes

Instructions:

1. Download appropriate patch version from Siemens support portal. 2. Backup system configuration. 3. Apply patch following vendor instructions. 4. Restart affected services. 5. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Siveillance VMS web interface (port 80/TCP) to authorized management networks only.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="80" accept'
netsh advfirewall firewall add rule name="Block Siveillance HTTP" dir=in action=block protocol=TCP localport=80 remoteip=any

Disable HTTP Service

windows

Disable the vulnerable HTTP service if not required for operations.

sc stop "Siveillance Web Service"
sc config "Siveillance Web Service" start= disabled

🧯 If You Can't Patch

Implement strict network access controls to limit access to port 80/TCP only from trusted management stations.
Deploy network monitoring and intrusion detection systems to alert on unauthorized access attempts to the VMS web interface.

🔍 How to Verify

Check if Vulnerable:

Check Siveillance VMS version in administration interface and compare against patched versions listed in advisory.

Check Version:

Check via Siveillance VMS administration console under Help > About or system information panel.

Verify Fix Applied:

Verify installed version matches or exceeds patched versions: V11.2a, V12.1a, V12.2a, V12.3a, or V13.1a depending on product year.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to port 80/TCP
Unexpected device property changes in VMS logs
Failed authentication attempts from unknown IPs

Network Indicators:

Unusual HTTP traffic to VMS web interface on port 80
POST/PUT requests to device configuration endpoints from unauthorized sources

SIEM Query:

source="vms_logs" AND (event_type="config_change" OR dest_port=80) AND src_ip NOT IN (trusted_management_ips)

📊 Metadata

CVE ID: CVE-2019-6580

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: June 12, 2019

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-212009.pdf Patch,Vendor Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-19-162-01 Third Party Advisory,US Government Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-212009.pdf Patch,Vendor Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-19-162-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-6580, you might also want to check these: