CVE-2022-43400: Siemens Siveillance Video Authentication Bypass Vulnerability

Siemens last week announced the availability of patches and mitigations for a vulnerability that can be remotely exploited to bypass security restrictions on some of the company’s Siveillance Video Mobile Server products.

Siveillance Video (formerly called Siveillance VMS) is a powerful IP video management software designed for deployments ranging from small and simple to large-scale and high-security. The Siveillance Video portfolio consists of four versions, Siveillance Video Core, Core Plus, Advanced, and Pro, addressing the specific needs of small and medium size solutions up to large complex deployments.

The security flaw is tracked as CVE-2022-43400, and it can be exploited by sending a specially-crafted request to the targeted device. If a vulnerability has been exploited successfully, an attacker could exploit this vulnerability to gain access to the application without a valid account.

The critical vulnerability, CVE-2022-43400, is rated 9.4 on the CVSS scoring scale and has been addressed by Siemens as part of security updates issued on October 21, 2022. This bug is caused by improper handling for logging in for Active Directory accounts that are part of the Administrators group mobile server component.

Siemens says the flaw impacts Siemens Siveillance Video Mobile Server 2022 R2 prior to v22.2a (80). Siemens is strongly recommending users update to the latest versions to reduce the risk. Also, the company issued mitigation that customers can apply to prevent the risk:

• Enable the feature “Servers > Mobile Servers > Deny the built-in Administrators role access to the
  mobile servers” for all configured mobile servers