Vanderbilt Fixes Siemens IP Camera Hole

Thursday, November 17, 2016 @ 03:11 PM gHale


Vanderbilt Industries fixed vulnerabilities in products in Siemens-branded IP cameras, according to a report with ICS-CERT.

This vulnerability is remotely exploitable.

RELATED STORIES
Moxa Fixes SoftCMS Vulnerabilities
Lynxspring Recommends Software Upgrade
CA Technologies Plugs Hole
OSIsoft Mitigates PI System Issue

Siemens reports the vulnerability affects the following versions of Siemens-branded IP cameras built by Vanderbilt Industries:
• CCMW3025: All versions prior to 1.41_SP18_S1
• CVMW3025-IR: All versions prior to 1.41_SP18_S1
• CFMW3025: All versions prior to 1.41_SP18_S1
• CCPW3025: All versions prior to 0.1.73_S1
• CCPW5025: All versions prior to 0.1.73_S1
• CCMD3025-DN18: All versions prior to v1.394_S1
• CCID1445-DN18: All versions prior to v2635
• CCID1445-DN28: All versions prior to v2635
• CCID1445-DN36: All versions prior to v2635
• CFIS1425: All versions prior to v2635
• CCIS1425: All versions prior to v2635
• CFMS2025: All versions prior to v2635
• CCMS2025: All versions prior to v2635
• CVMS2025-IR: All versions prior to v2635
• CFMW1025: All versions prior to v2635
• CCMW1025: All versions prior to v2635

A successful exploit of this vulnerability may allow the attacker to obtain administrative credentials.

Vanderbilt Industries acquired the Siemens IP Cameras business in June 2015 and released updates for the affected camera models under the Siemens brand.

The Siemens-branded IP-based CCTV cameras portfolio includes a range of megapixel cameras in various configuration and mounting options. These products see action across several sectors including commercial facilities, healthcare and public health, and government facilities. Vanderbilt estimates these products see use on a global basis.

An attacker with network access to the web server could obtain administrative credentials by sending certain requests.

CVE-2016-9155 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

Vanderbilt released updates to mitigate this vulnerability. For links to the new versions for each of the affected models, please see Siemens Security Advisory SSA-284765.



Leave a Reply

You must be logged in to post a comment.