Siemens Automation License Manager

Plan PatchCVSS 8.2ICS-CERT ICSA-23-012-10Jan 10, 2023

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Automation License Manager V5 (all versions) and V6 (before SP9 Upd4) contain two combined vulnerabilities in file handling that allow an attacker to modify and rename license files, extract licenses, and overwrite arbitrary files on the host system. This could lead to privilege escalation and remote code execution. The vulnerability requires network access to port 4410/TCP but no authentication. The affected functionality is not remotely accessible by default in V6.0 SP2 and later, but remains exploitable if remote access is explicitly enabled.

What this means

What could happen

An attacker could modify license files and overwrite arbitrary system files on the Automation License Manager host, potentially leading to privilege escalation and remote code execution. This could disrupt engineering workstation capabilities and allow unauthorized control of automation systems.

Who's at risk

Engineering teams and automation engineers who use Siemens Automation License Manager for TIA Portal and other Siemens engineering workstations. This affects organizations managing Siemens automation system licenses, particularly those with V5 installations (no patch available) or V6 installations below SP9 Upd4.

How it could be exploited

An attacker with network access to port 4410/TCP on a system running Automation License Manager V6 below SP9 Upd4 (or any version of V5) could exploit the combined file manipulation vulnerabilities to modify or extract license files and write arbitrary files to the system. In configurations with remote access enabled, this could lead to code execution on the engineering workstation.

Prerequisites

Network access to port 4410/TCP (default License Manager port)
Automation License Manager V6 version below 6.0 SP9 Upd4, or any version of V5
Remote file access functionality must be enabled (disabled by default in V6.0 SP2 and later)

remotely exploitableno authentication requiredlow complexityaffects engineering systemsno patch available for V5

Exploitability

Some exploitation risk — EPSS score 1.4%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Automation License Manager V5All versionsNo fix (EOL)

Automation License Manager V6<V6.0 SP9 Upd46.0 SP9 Upd4

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to port 4410/TCP to only trusted engineering workstations and systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Automation License Manager V6

HOTFIXUpdate Automation License Manager V6 to version 6.0 SP9 Upd4 or later

Mitigations - no patch available

0/1

Automation License Manager V5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the network so Automation License Manager systems are isolated from business networks and unreachable from the Internet

CVEs (2)

CVE-2022-43513 CVE-2022-43514

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4f62243a-b700-4094-bd91-966c997daba1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.