Two Vulnerabilities in Automation License Manager

Plan Patch8.2SSA-476715Jan 10, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Automation License Manager V5 and V6 (prior to 6.0 SP9 Upd4) contain two related vulnerabilities (path traversal and improper file validation) that can be combined to modify license files, extract license data, and overwrite arbitrary files on the system. An attacker with network access could potentially achieve privilege escalation or remote code execution. The affected functionality is disabled by default in V6.0 SP2 and later versions unless explicitly enabled. Siemens has released an update for V6 but states no fix is available for V5.

What this means

What could happen

An attacker who gains local network access to Automation License Manager could combine two vulnerabilities to modify license files, extract license data, and overwrite arbitrary files on the system, potentially leading to privilege escalation or code execution. The risk is primarily to systems running V5, which has no patch available.

Who's at risk

Automation License Manager is used by engineering and deployment staff at facilities running Siemens automation systems. Organizations deploying TIA Portal (Totally Integrated Automation) or other Siemens engineering environments for PLC/automation equipment should inventory their License Manager version. V5 deployments require immediate compensating controls since no patch will be released.

How it could be exploited

An attacker would need network access to the Automation License Manager service port and would exploit two weaknesses in combination: one that allows manipulation of license file paths (directory traversal) and another that permits file operations without proper validation. This could allow writing malicious files to sensitive system directories or extracting license keys for misuse. In V6.0 SP2 and later, this attack vector is blocked by default unless the service is specifically exposed or network restrictions are disabled.

Prerequisites

Network access to Automation License Manager service port
Affected version must be running (V5 all versions or V6 < 6.0 SP9 Upd4)
For V6, the affected functionality must be enabled (not available remotely by default in V6.0 SP2+)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackAffects license management (secondary impact on availability of engineering functions)V5 has no patch available

Exploitability

Moderate exploit probability (EPSS 1.4%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Automation License Manager V6< V6.0 SP9 Upd46.0 SP9 Upd4

Automation License Manager V5All versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

Automation License Manager V5

WORKAROUNDIf running Automation License Manager V5, implement network firewall rules to restrict access to the License Manager service port to authorized engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Automation License Manager V6

HOTFIXUpdate Automation License Manager V6 to version 6.0 SP9 Upd4 or later

Mitigations - no patch available

0/1

Automation License Manager V5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Automation License Manager systems to a separate OT network segment with restricted access from general IT networks

CVEs (2)

CVE-2022-43513 CVE-2022-43514

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e99e32ee-3315-4054-a617-0237ac5da7e9