Details of VAR-202003-0775

ID

VAR-202003-0775

CVE

CVE-2019-19291

TITLE

Siemens SiNVR 3 Plain text save file vulnerability

Trust: 0.8

sources: IVD: fa26a4b9-ad52-4e6d-94d3-990bf1f05d32 // CNVD: CNVD-2020-17014

DESCRIPTION

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0). The FTP services of the SiVMS/SiNVR Video Server and the Control Center Server (CCS) maintain log files that store login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service. SiNVR 3 is a video management platform. SiNVR 3 saves the login credentials in plain text in the log file. There is an information disclosure vulnerability in the implementation. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.97

sources: NVD: CVE-2019-19291 // JVNDB: JVNDB-2019-014872 // CNVD: CNVD-2020-17014 // CNNVD: CNNVD-202104-975 // IVD: fa26a4b9-ad52-4e6d-94d3-990bf1f05d32 // VULMON: CVE-2019-19291

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: fa26a4b9-ad52-4e6d-94d3-990bf1f05d32 // CNVD: CNVD-2020-17014

AFFECTED PRODUCTS

vendor:	siemens	model:	sinvr 3 central control server	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	sinvr 3 video server	scope:	eq	version:	*	Trust: 1.0
vendor:	シーメンス	model:	sinvr 3 video server	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinvr 3 central control server	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	sinvr central control server	scope:	eq	version:	3	Trust: 0.6
vendor:	siemens	model:	sinvr video server	scope:	eq	version:	3	Trust: 0.6
vendor:	sinvr 3 central control server	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	sinvr 3 video server	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: fa26a4b9-ad52-4e6d-94d3-990bf1f05d32 // CNVD: CNVD-2020-17014 // JVNDB: JVNDB-2019-014872 // NVD: CVE-2019-19291

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-19291
value:	MEDIUM
Trust: 1.0
productcert@siemens.com:	CVE-2019-19291
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-19291
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-17014
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202003-475
value:	MEDIUM
Trust: 0.6
IVD:	fa26a4b9-ad52-4e6d-94d3-990bf1f05d32
value:	MEDIUM
Trust: 0.2
VULMON:	CVE-2019-19291
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-19291
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-17014
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	fa26a4b9-ad52-4e6d-94d3-990bf1f05d32
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-19291
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
productcert@siemens.com:	CVE-2019-19291
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.6
impactScore:	3.6
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2019-014872
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: fa26a4b9-ad52-4e6d-94d3-990bf1f05d32 // CNVD: CNVD-2020-17014 // VULMON: CVE-2019-19291 // JVNDB: JVNDB-2019-014872 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202003-475 // NVD: CVE-2019-19291 // NVD: CVE-2019-19291

PROBLEMTYPE DATA

problemtype:	CWE-312	Trust: 1.0
problemtype:	CWE-313	Trust: 1.0
problemtype:	Plaintext storage of important information (CWE-312) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-014872 // NVD: CVE-2019-19291

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-475

TYPE

other

Trust: 1.4

sources: IVD: fa26a4b9-ad52-4e6d-94d3-990bf1f05d32 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202003-475

PATCH

title:	SSA-844761	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-844761.pdf	Trust: 0.8
title:	Patch for Siemens SiNVR 3 Plain Text Save File Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/208749	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=03dd7efb196bdf8da925c4ca8f3d02f6	Trust: 0.1
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=941d6ca22d089421a99575c44abd4248	Trust: 0.1

sources: CNVD: CNVD-2020-17014 // VULMON: CVE-2019-19291 // JVNDB: JVNDB-2019-014872

EXTERNAL IDS

db:	NVD	id:	CVE-2019-19291	Trust: 4.1
db:	SIEMENS	id:	SSA-761844	Trust: 1.7
db:	SIEMENS	id:	SSA-844761	Trust: 1.7
db:	ICS CERT	id:	ICSA-20-070-01	Trust: 1.4
db:	CNVD	id:	CNVD-2020-17014	Trust: 0.8
db:	CNNVD	id:	CNNVD-202003-475	Trust: 0.8
db:	JVN	id:	JVNVU96269392	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-014872	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021041517	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-103-10	Trust: 0.6
db:	NSFOCUS	id:	46125	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1240	Trust: 0.6
db:	IVD	id:	FA26A4B9-AD52-4E6D-94D3-990BF1F05D32	Trust: 0.2
db:	VULMON	id:	CVE-2019-19291	Trust: 0.1

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-19291	Trust: 2.0
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-844761.pdf	Trust: 1.7
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf	Trust: 1.7
url:	https://www.us-cert.gov/ics/advisories/icsa-20-070-01	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu96269392/index.html	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/46125	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-070-01	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-103-10	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1240	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041517	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/313.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://cert-portal.siemens.com/productcert/txt/ssa-761844.txt	Trust: 0.1

sources: CNVD: CNVD-2020-17014 // VULMON: CVE-2019-19291 // JVNDB: JVNDB-2019-014872 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202003-475 // NVD: CVE-2019-19291

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202003-475

SOURCES

db:	IVD	id:	fa26a4b9-ad52-4e6d-94d3-990bf1f05d32
db:	CNVD	id:	CNVD-2020-17014
db:	VULMON	id:	CVE-2019-19291
db:	JVNDB	id:	JVNDB-2019-014872
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202003-475
db:	NVD	id:	CVE-2019-19291

LAST UPDATE DATE

2024-08-14T12:23:34.259000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-17014	date:	2020-03-13T00:00:00
db:	VULMON	id:	CVE-2019-19291	date:	2021-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2019-014872	date:	2024-02-20T07:05:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202003-475	date:	2021-08-11T00:00:00
db:	NVD	id:	CVE-2019-19291	date:	2024-01-09T10:15:11.373

SOURCES RELEASE DATE

db:	IVD	id:	fa26a4b9-ad52-4e6d-94d3-990bf1f05d32	date:	2020-03-10T00:00:00
db:	CNVD	id:	CNVD-2020-17014	date:	2020-03-13T00:00:00
db:	VULMON	id:	CVE-2019-19291	date:	2020-03-10T00:00:00
db:	JVNDB	id:	JVNDB-2019-014872	date:	2020-03-24T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202003-475	date:	2020-03-10T00:00:00
db:	NVD	id:	CVE-2019-19291	date:	2020-03-10T20:15:19.180