OTPulse

Siemens Automation License Manager

Plan PatchCVSS 7.3ICS-CERT ICSA-20-224-07Aug 11, 2020
Siemens
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Siemens Automation License Manager contains an access control vulnerability (CWE-285) that allows local users with non-administrator privileges to access and modify license files stored on the system. Affected versions are Automation License Manager 5 (all versions) and Automation License Manager 6 (versions before 6.0.8). The vulnerability requires local access and cannot be exploited remotely. Unauthorized license file modification could disable licensing enforcement on connected industrial devices or alter their operational behavior.

What this means
What could happen
A local attacker with low-level user credentials can read license files or modify device behavior through unauthorized license manipulation, potentially affecting industrial process availability or integrity.
Who's at risk
Engineering and operations teams using Siemens Automation License Manager on manufacturing, water treatment, power generation, and other automated industrial systems. This affects any facility relying on Siemens-licensed PLCs, drives, or controllers for process control.
How it could be exploited
An attacker with local access to the License Manager system and non-administrator user credentials can access the drives where license files are stored. By reading or modifying these files, the attacker can manipulate licensing enforcement, potentially disabling safety-critical functions or altering process parameters on connected devices.
Prerequisites
  • Local access to the License Manager system
  • Non-administrator user account on the device
  • Access to file system or network shares containing license data
Local access requiredLow privilege user sufficientLicense Manager 5 has no patch availableCould affect safety-critical system licenses
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
Automation License Manager 6: All<V6.0.86.0.8
Automation License Manager 5: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDFor License Manager 5 systems: restrict file system access to license drives for non-administrator users using OS-level permissions
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Automation License Manager to version 6.0.8 or later
Mitigations - no patch available
0/2
Automation License Manager 5: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network access controls to limit connections to License Manager systems to authorized engineering and administrative personnel only
HARDENINGApply principle of least privilege: disable local accounts on License Manager systems unless required for maintenance, and remove unnecessary user permissions
View full CISA ICS-CERT advisory
API: /api/v1/advisories/9b4098c5-9b25-4d4c-a5a5-24274fbf406c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.