Denial-of-Service Vulnerability in Automation License Manager
Monitor5.9SSA-158827Aug 10, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A denial-of-service vulnerability in Automation License Manager allows an attacker to crash the license service by sending specially crafted packets to port 4410/tcp. When the service fails, legitimate users and automation devices cannot obtain or renew software licenses, preventing normal operations. Automation License Manager 6 versions prior to 6.0 SP9 Update 2 are affected. Automation License Manager 5 (all versions) has no vendor fix available.
What this means
What could happen
An attacker could crash the Automation License Manager service by sending malformed network packets, preventing legitimate users and devices from obtaining or renewing software licenses needed to run engineering workstations and automation systems.
Who's at risk
Organizations running Siemens Automation License Manager for TIA Portal and other engineering environments should care about this. The license manager is critical infrastructure for any facility using Siemens automation controllers, PLCs, and engineering workstations. Water authorities and utilities using Siemens HMI, SCADA, or PLC systems depend on this service to keep systems operational.
How it could be exploited
An attacker with network access to port 4410/tcp on a system running the Automation License Manager could send specially crafted packets that trigger a denial-of-service condition, crashing the license service. This does not require authentication or user interaction.
Prerequisites
- Network access to port 4410/tcp on the Automation License Manager system
- No authentication required
- Affected software must be running on the target system
remotely exploitableno authentication requiredno patch available for version 5medium complexity attackaffects critical control system support infrastructure
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
Automation License Manager 6< V6.0 SP9 Update 26.0 SP9 Update 2
Automation License Manager 5All versionsNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1Automation License Manager 5
WORKAROUNDFor Automation License Manager 5 systems, implement network-based access controls to restrict inbound connections to port 4410/tcp to only authorized engineering workstations and systems that require license management
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
Automation License Manager 6
HOTFIXUpdate Automation License Manager 6 to version 6.0 SP9 Update 2 or later
Mitigations - no patch available
0/1Automation License Manager 5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment the network so that license manager systems are on a separate VLAN or zone accessible only to systems that require license services, restricting exposure from untrusted networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/72fe52ec-d0aa-41ee-af69-12db9337695b