Security
Headlines
HeadlinesLatestCVEs

Headline

Siemens ALM 0-Day Vulnerabilities Posed Full Remote Takeover Risk

By Waqas Tel Aviv-based firm OTORIO’s cybersecurity research team identified and reported these vulnerabilities. This is a post from HackRead.com Read the original post: Siemens ALM 0-Day Vulnerabilities Posed Full Remote Takeover Risk

HackRead
#vulnerability#mac#rce#auth#zero_day

****KEY FINDINGS****

  • Two 0-day vulnerabilities in Siemens Automation License Manager (ALM) could allow attackers to execute code remotely on target systems.

  • The vulnerabilities could be exploited to take control of industrial systems, such as those used in manufacturing and power generation.

  • Siemens has released security advisories for the vulnerabilities and is working on a fix.

  • Users are advised to upgrade to the latest version of ALM or apply the workarounds provided in the advisories.

  • The vulnerabilities highlight the importance of keeping industrial systems up-to-date and secure.

The cybersecurity researchers at OTORIO discovered multiple 0-day vulnerabilities in Siemens ALM (Automation License Manager), a crucial component of Siemens software products used to manage licenses for various industrial solutions. The impact of these vulnerabilities is far-reaching, affecting systems such as PCS 7, TIA Portal, STEP 7, SIMATIC HMI, SIMOTION, SIMATIC NET, SINAMICS, and SIMOCODE.

****The Alarming Discovery****

OTORIO Research first alerted Siemens to these vulnerabilities last year, highlighting their severity, particularly because ALM is enabled by default on all PCS 7 servers they tested. Earlier this year, they detailed the potential attack vectors associated with these vulnerabilities, emphasizing the urgency of patching or mitigating them. This warning was essential because the successful exploitation of these vulnerabilities could result in significant damage.

In their latest disclosure, OTORIO provides additional technical details that shed light on these vulnerabilities, helping stakeholders better understand and enhance the security of affected systems.

****Understanding ALM’s Role****

Siemens ALM, while often bundled with other Siemens products during installation, is a separate entity that requires independent attention from users. It operates on a client-server architecture, communicating over TCP port 4410. The service component runs with SYSTEM privileges and manages licenses on the system, while users can connect to it locally or remotely through the client application.

Authentication is not mandatory, but some operations are restricted to remote connections. Default operations are considered safe, which means there are no built-in security measures for communication between the ALM client and server.

****Vulnerabilities Unveiled****

One of the critical vulnerabilities, identified as CVE-2022-43513, allows malicious actors to move files within the target machine. This could potentially lead to license issues due to inadequate path verification. However, the real danger comes from another vulnerability, CVE-2022-43514, which enables attackers to bypass path sanitization.

This vulnerability permits arbitrary file movement between the target machine and an arbitrary network share controlled by the attacker, ultimately granting them SYSTEM-level privileges on the target system.

****Executing Remote Code****

The exploitation of these vulnerabilities can lead to remote code execution (RCE), achieved through multiple file rename and move operations. Attackers can replace and restart the ALM service executable, effectively taking control of the affected system.

Watch as OTORIO researchers demonstrate ALM remote code execution

****Mitigation and Hardening****

Given the widespread impact of these vulnerabilities, immediate mitigation is critical. Users are strongly advised to update to the latest version of the Automation License Manager. Additionally, implementing additional security precautions and following Siemens’ hardening guidelines is recommended. Users should consider disabling the ALM remote connection option, even if it’s enabled by default, to further enhance security.

In conclusion, the vulnerabilities in Siemens ALM serve as a reminder of the importance of cybersecurity in critical industrial systems. Prompt action is necessary to prevent potential exploitation, and users are encouraged to follow best practices and hardening guidelines to safeguard their systems.

  1. Crit.IX: Flaws in Honeywell Experion DCS Risk Critical Industries
  2. WinRAR users update your software as 0-day vulnerability is found
  3. Controller-level flaws let hackers physically damage moving bridges

Related news

Critical Infrastructure at Risk from New Vulnerabilities Found in Wireless IIoT Devices

A set of 38 security vulnerabilities has been uncovered in wireless industrial internet of things (IIoT) devices from four different vendors that could pose a significant attack surface for threat actors looking to exploit operational technology (OT) environments. "Threat actors can exploit vulnerabilities in Wireless IIoT devices to gain initial access to internal OT networks," Israeli

Critical Infrastructure at Risk from New Vulnerabilities Found in Wireless IIoT Devices

A set of 38 security vulnerabilities has been uncovered in wireless industrial internet of things (IIoT) devices from four different vendors that could pose a significant attack surface for threat actors looking to exploit operational technology (OT) environments. "Threat actors can exploit vulnerabilities in Wireless IIoT devices to gain initial access to internal OT networks," Israeli

CVE-2022-43514

A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4). The affected component does not correctly validate the root path on folder related operations, allowing to modify files and folders outside the intended root directory. This could allow an unauthenticated remote attacker to execute file operations of files outside of the specified root folder. Chained with CVE-2022-43513 this could allow Remote Code Execution.

HackRead: Latest News

Hackers Leak 300,000 MIT Technology Review Magazine User Records