Home -> Resources -> SCADA/ICS Vulnerability Reference -> Siemens Automation License Manager

Siemens Automation Manager Multiple Vulnerabilities

November 28, 2011
(Updated December 27, 2011)
(Updated December 20, 2011)
(Updated December 2, 2011)

Security researcher Luigi Auriemma has discovered multiple vulnerabilities in Siemens Automation License Manager (ALM), which can be exploited by malicious people to cause a DoS (Denial of Service) and manipulate certain data.

1) ALM does not check the length of a field used in various commands set to the almsrvx.exe server application via port 4410/tcp, causing a buffer overflow condition leading to the potential for remote code execution.

2) In mulitple cases, an error in almsrvx.exe does not check the length of fields when processing certain requests sent to almsrvx.exe.  These can be exploited to cause an unhandled exception and terminate the service enabling a denial-of-service attack via a specially crafted packet sent to port 4410/tcp.

3) An NULL pointer dereference error in almsrvx.exe occurs do to the application not checking the content of a field used when processing certain requests to almsrvx.exe via port 4410/tcp. This vulnerability causes the application to quit and enables a denial-of-service attack.

4) ALM uses an ActiveX control in its graphical user interface. This control exports a method that allows saving a file to the local hard disk. The insecure "Save()" method in the ALMListView.ALMListCtrl ActiveX control (almaxcx.dll) can be exploited to create or overwrite arbitrary files with empty content in the context of the currently logged-on user. A malicious web site that the user accesses with Internet Explorer may delete the content of any file on the system that the user is allowed to write to, or create new files.

The ALM is a component of Siemens industrial software and is necessary for licensing Siemens supervisory control and data acquisition (SCADA), human-machine interface (HMI), and engineering software.

Siemens has confirmed these vulnerabilities and has released a patch to address the issue.

Siemens software products that include ALM Version 4.0 to 5.1+SP1+Upd1 are affected by the buffer overflow, exception, and null pointer vulnerabilities. Siemens software products that include ALM Version 2.0 to 5.1+SP1+Upd2 are affected by the improper input validation vulnerability.  

ICS-CERT Advisories / Alerts

ICSA-11-361-01
ICS-ALERT-11-332-01A
ICS-ALERT-11-332-01

Vendor Website (include Patches / Hotfixes)

Siemens Automation License Manager Product Page
Siemens Security Update for Automation License Manager (includes Patch/Update link)

Exploit Proof-of-Concept

Exploit-DB ID 18165

Common Vulnerability & Exposure (CVE) References

CVE-2011-4529 (Buffer Overflow)
NVD CVE-2011-4529
CVE-2011-4530 (Exception)
NVD CVE-2011-4530
CVE-2011-4531 (Null Pointer)
NVD CVE-2011-4531
CVE-2011-4532 (Improper Input Validation)
NVD CVE-2011-4532

Additional Information

Disclosure (Luigi Auriemma)
Exploit-DB ID 18165
Secunia Advisory #46979
Secunia Vulnerability Report and Statistics on Siemens Automation License Manager 5.x
Secunia Vulnerability Report and Statistics on Siemens Automation License Manager ActiveX Control 5.x
Security Focus Vulnerability Info and Exploit Bugtraq ID 50830
Security Focus Vulnerability Info and Exploit Bugtraq ID 50831
Security Vulns ID #12072

Siemens Patches ALM Holes (ISSSource)
Siemens Investigating Vulnerabilities (ISSSource)