NEW YORK STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES CYBER SECURITY ADVISORY

ITS Advisory Number: 
2016-200
Date(s) Issued: 
Tuesday, November 22, 2016
Subject: 
NEW YORK STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES CYBER SECURITY ADVISORY
Overview: 

A vulnerability has been discovered in Vanderbilt Industries Siemens IP CCTV cameras that could allow for administrative credentials disclosure. The SIEMENS-branded IP-based CCTV cameras portfolio includes a range of megapixel cameras in various configuration and mounting options. According to Vanderbilt, these products are deployed across several sectors including commercial facilities, healthcare and public health, and government facilities. Vanderbilt estimates that these products are used worldwide. Successful exploitation of this vulnerability could allow an attacker to retrieve the administrative credentials for the affected device. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • CCMW3025: All versions prior to 1.41_SP18_S1
  • CVMW3025-IR: All versions prior to 1.41_SP18_S1
  • CFMW3025: All versions prior to 1.41_SP18_S1
  • CCPW3025: All versions prior to 0.1.73_S1
  • CCPW5025: All versions prior to 0.1.73_S1
  • CCMD3025-DN18: All versions prior to v1.394_S1
  • CCID1445-DN18: All versions prior to v2635
  • CCID1445-DN28: All versions prior to v2635
  • CCID1445-DN36: All versions prior to v2635
  • CFIS1425: All versions prior to v2635
  • CCIS1425: All versions prior to v2635
  • CFMS2025: All versions prior to v2635
  • CCMS2025: All versions prior to v2635
  • CVMS2025-IR: All versions prior to v2635
  • CFMW1025: All versions prior to v2635
  • CCMW1025: All versions prior to v2635
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A vulnerability has been discovered in Vanderbilt Industries Siemens IP CCTV Cameras that could allow for administrative credentials disclosure. The vulnerability can be exploited when an attacker sends specially crafted requests to the camera's web server.

Successful exploitation of this vulnerability could allow an attacker to retrieve the administrative credentials for the affected device. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 

  • After appropriate testing, Install the updates provided by Siemens to vulnerable systems.

  • Until patches can be applied, restricting access to the integrated web server with appropriate mechanisms is recommended.

  • Operate the devices within trusted network

  • Protect network access to the devices with appropriate mechanisms

  • Enable authentication on the web server

  • Apply the Principle of Least Privilege to all systems and services.

References: 

Siemens Security Advisory by Siemens Product CERT:

http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-284765.pdf

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9155

ICS-CERT:

https://ics-cert.us-cert.gov/advisories/ICSA-16-322-01

Office of Information Technology Services

Other Information

Language Access

Register to Vote

Sign up online or download and mail your application. Register Now