Siemens Automation Manager Multiple Vulnerabilities
November 28, 2011
(Updated December 27, 2011)
(Updated December 20, 2011)
(Updated December 2, 2011)
Security researcher Luigi Auriemma has discovered multiple
vulnerabilities in Siemens Automation License Manager (ALM), which
can be exploited by malicious people to cause a DoS (Denial
of Service) and manipulate certain data.
1) ALM does not check the length of a field used in various
commands set to the almsrvx.exe server application via port
4410/tcp, causing a buffer overflow condition leading to the
potential for remote code execution.
2) In mulitple cases, an error in almsrvx.exe does not check
the length of fields when processing certain requests
sent to almsrvx.exe. These can be exploited to cause an unhandled exception and
terminate the service enabling a denial-of-service attack via a specially crafted packet sent to
port 4410/tcp.
3) An NULL pointer dereference error in almsrvx.exe occurs
do to the application not checking the content of a field
used when
processing certain requests to almsrvx.exe via port
4410/tcp. This vulnerability causes the application to quit
and enables a denial-of-service attack.
4) ALM uses an ActiveX control in its graphical user
interface. This control exports a method that allows saving
a file to the local hard disk. The insecure "Save()" method in the
ALMListView.ALMListCtrl ActiveX control (almaxcx.dll) can be
exploited to create or overwrite arbitrary files with empty
content in the context of the currently logged-on user. A
malicious web site that the user accesses with Internet
Explorer may delete the content of any file on the system
that the user is allowed to write to, or create new files.
The ALM is a component of Siemens industrial software and is
necessary for licensing Siemens supervisory control and data
acquisition (SCADA), human-machine interface (HMI), and
engineering software.
Siemens has confirmed these vulnerabilities and has released
a patch to address the issue.
Siemens software products that include ALM Version 4.0 to
5.1+SP1+Upd1 are affected by the buffer overflow, exception,
and null pointer vulnerabilities. Siemens software products
that include ALM Version 2.0 to 5.1+SP1+Upd2 are affected by
the improper input validation vulnerability.