Siemens Automation License Manager

MonitorCVSS 5.9ICS-CERT ICSA-21-222-02Aug 10, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in Siemens Automation License Manager can be triggered by sending specially crafted packets to port 4410/TCP, causing a denial-of-service that prevents legitimate users from accessing the license management system. Affected versions are all of version 5 and version 6 prior to SP9 Update 2. While attack complexity is high and no public exploits are known, the vulnerability is remotely exploitable without authentication. Siemens released a fix for version 6 but version 5 will not be patched.

What this means

What could happen

An attacker can send crafted packets to port 4410 on the Automation License Manager, causing it to become unavailable and preventing legitimate users from accessing engineering tools and license management functions.

Who's at risk

Siemens Automation License Manager users in manufacturing plants, utilities, and facilities management who rely on the license management service to enable engineering workstations and control system software. This affects organizations running either version 5 or version 6 of the product.

How it could be exploited

An attacker with network access to port 4410/TCP on the Automation License Manager can send specially crafted packets that cause the service to crash or stop responding. This is a denial-of-service attack that does not require authentication or user interaction.

Prerequisites

Network access to port 4410/TCP on the Automation License Manager
Remote connections must be enabled on the target system

remotely exploitableno authentication requiredhigh attack complexitydenial-of-service impactversion 5 has no fix available

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Automation License Manager 6<V6.0 SP9 Update 26.0 SP9 Update 2

Automation License Manager 5All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable 'Allow Remote Connections' on the Automation License Manager settings menu if remote access is not required

WORKAROUNDRestrict network access to port 4410/TCP to only trusted systems using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Automation License Manager 6

HOTFIXUpdate Automation License Manager 6 to version 6.0 SP9 Update 2 or later

Mitigations - no patch available

0/2

Automation License Manager 5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace Automation License Manager behind a firewall and isolate from business networks

HARDENINGEnsure Automation License Manager is not directly accessible from the Internet

CVEs (1)

CVE-2021-25659

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/58be7aed-cb09-43f5-a7b9-7e4145cb96da

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.