Siemens and PKE Control Center Server

Risk Summary

Successful exploitation of these vulnerabilities may allow an attacker to read and write arbitrary files and sensitive data and execute commands and arbitrary code.

CVEs (12)

Remediations

• Update to V1.5.0 or later version
• General (applies to all vulnerabilities listed in this advisory) - Apply ACL/firewall configuration on the CCS server to ensure that only legitimate systems are able to access the configured CCS server ports. Harden the CCS server accordingly to prevent unauthorized access. Consider to apply encryption and authentication on the network (e.g., via TLS on application level or via IPSec on host level).
• CVE-2019-18340 - Harden the CCS server to prevent local access by unauthorized users
• CVE-2019-19290, CVE-2019-19293, CVE-2019-19294 - Disable the web interface of CCS if not used. Alternatively, restrict access from localhost only, or only to trusted hosts of CCS administrators. Enable TLS for the web interface of CCS.
• CVE-2019-19291 - Disable the FTP service of the CCS
• As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.
• Currently no remediation is available

Affected Vendors

Affected Products (2)

Affected Sectors

Commercial Facilities