Siemens Automation License Manager

Plan Patch7.3ICS-CERT ICSA-20-224-07Aug 11, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens Automation License Manager contains an access control vulnerability (CWE-285) that allows local users with non-administrator privileges to access and modify license files stored on the system. Affected versions are Automation License Manager 5 (all versions) and Automation License Manager 6 (versions before 6.0.8). The vulnerability requires local access and cannot be exploited remotely. Unauthorized license file modification could disable licensing enforcement on connected industrial devices or alter their operational behavior.

What this means

What could happen

A local attacker with low-level user credentials can read license files or modify device behavior through unauthorized license manipulation, potentially affecting industrial process availability or integrity.

Who's at risk

Engineering and operations teams using Siemens Automation License Manager on manufacturing, water treatment, power generation, and other automated industrial systems. This affects any facility relying on Siemens-licensed PLCs, drives, or controllers for process control.

How it could be exploited

An attacker with local access to the License Manager system and non-administrator user credentials can access the drives where license files are stored. By reading or modifying these files, the attacker can manipulate licensing enforcement, potentially disabling safety-critical functions or altering process parameters on connected devices.

Prerequisites

Local access to the License Manager system
Non-administrator user account on the device
Access to file system or network shares containing license data

Local access requiredLow privilege user sufficientLicense Manager 5 has no patch availableCould affect safety-critical system licenses

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Automation License Manager 6: All<V6.0.86.0.8

Automation License Manager 5: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDFor License Manager 5 systems: restrict file system access to license drives for non-administrator users using OS-level permissions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Automation License Manager to version 6.0.8 or later

Mitigations - no patch available

0/2

Automation License Manager 5: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network access controls to limit connections to License Manager systems to authorized engineering and administrative personnel only

HARDENINGApply principle of least privilege: disable local accounts on License Manager systems unless required for maintenance, and remove unnecessary user permissions

CVEs (1)

CVE-2020-7583

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9b4098c5-9b25-4d4c-a5a5-24274fbf406c