Siemens Automation License Manager vulnerable to remote takeover

published: Sept. 21, 2023

Take action: Lock down your SIEMENS ALM to internal network, and go through the mitigation measures of disabling remote connection. Then plan for a patch of the product, since even in lock down someone will eventually hack it.

Learn More

Cybersecurity researchers have identified multiple vulnerabilities in Siemens Automation License Manager (ALM), a component used to manage licenses for various industrial solutions within Siemens software products. These vulnerabilities have significant implications, affecting vital systems like

  • PCS 7,
  • TIA Portal,
  • STEP 7,

Siemens ALM, though often bundled with other Siemens products during installation, is a standalone entity requiring individual management from users. It operates on a client-server architecture, communicating over TCP port 4410. The service component operates with SYSTEM privileges and manages licenses on the system, allowing users to connect locally or remotely through the client application.

Authentication is not mandatory, but certain operations are restricted to remote connections. Default operations are considered safe, implying there are no built-in security measures for communication between the ALM client and server.

One critical vulnerability, tracked as CVE-2022-43513 permits malicious actors to move files within the target machine, potentially causing license issues due to inadequate path verification. The more severe vulnerability, tracked as CVE-2022-43514 enables attackers to bypass path sanitization, allowing arbitrary file movement between the target machine and a network share controlled by the attacker. This grants them SYSTEM-level privileges on the target system.

Exploiting these vulnerabilities can lead to remote code execution (RCE) through multiple file rename and move operations. Attackers can replace and restart the ALM service executable, effectively taking control of the affected system.

Given the widespread impact of these vulnerabilities, immediate mitigation is crucial. Users are strongly advised to update to the latest version of Automation License Manager promptly. Additionally, implementing extra security measures and adhering to Siemens' hardening guidelines is recommended. Users should also consider disabling the ALM remote connection option, even if enabled by default, to further improve security.

Siemens Automation License Manager vulnerable to remote takeover