ICSA-18-226-03 Siemens Automation License Manager

Plan PatchCVSS 8.8ICS-CERT ICSA-18-226-03Aug 7, 2018

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Automation License Manager 5 (versions before 5.3.4.4) and version 6 (before 6.0.1) contain path traversal and improper access control vulnerabilities (CWE-22, CWE-284). An unauthenticated attacker on the network can upload or overwrite arbitrary files on the License Manager system via specially crafted requests to the web interface. This could allow unauthorized file write operations that compromise the integrity and availability of the license management service. No known public exploits are currently active for these vulnerabilities.

What this means

What could happen

An attacker could upload or overwrite arbitrary files on the Automation License Manager system, potentially allowing them to execute commands or modify license and configuration data that controls access to Siemens engineering tools across your automation environment.

Who's at risk

Organizations running Siemens Automation License Manager 5 or 6 should care about this vulnerability. The License Manager handles authentication and licensing for Siemens engineering tools (TIA Portal, STEP 7, etc.) used to program and configure PLCs, controllers, and HMIs. A compromised License Manager could allow attackers to disrupt engineering work, inject backdoors into engineering tools, or tamper with licenses across your entire automation environment.

How it could be exploited

An attacker on the network sends a specially crafted request to the Automation License Manager web interface (port 8080 or 443) that bypasses path validation checks. This allows uploading or writing files to arbitrary locations on the server, potentially including executable files or license files that could disrupt engineering access or enable further system compromise.

Prerequisites

Network access to the Automation License Manager web interface (default ports 8080 or 443)
User interaction required (user must click a link or open a crafted file in the browser)
The License Manager must be installed and running on an accessible network segment

remotely exploitableno authentication requiredlow complexitypath traversal/file uploadaffects engineering access and licensingaffects availability and integrity of engineering tools

Exploitability

Some exploitation risk — EPSS score 2.5%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Automation License Manager 6<6.0.16.0.1

Automation License Manager 5<5.3.4.45.3.4.4

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the Automation License Manager web interface using a firewall; allow only engineering workstations that require license management

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Automation License Manager 5

HOTFIXUpdate Automation License Manager 5 to version 5.3.4.4 or later

Automation License Manager 6

HOTFIXUpdate Automation License Manager 6 to version 6.0.1 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate License Manager systems from the corporate network and restrict routing between administrative and control system networks

CVEs (2)

CVE-2018-11455 CVE-2018-11456

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e069642f-6876-4f38-b89a-f5b1a877c780

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.