Siemens ALM 0-Day Vulnerabilities Posed Full Remote Takeover Risk

****KEY FINDINGS****

• Two 0-day vulnerabilities in Siemens Automation License Manager (ALM) could allow attackers to execute code remotely on target systems.

• The vulnerabilities could be exploited to take control of industrial systems, such as those used in manufacturing and power generation.

• Siemens has released security advisories for the vulnerabilities and is working on a fix.

• Users are advised to upgrade to the latest version of ALM or apply the workarounds provided in the advisories.

• The vulnerabilities highlight the importance of keeping industrial systems up-to-date and secure.

The cybersecurity researchers at OTORIO discovered multiple 0-day vulnerabilities in Siemens ALM (Automation License Manager), a crucial component of Siemens software products used to manage licenses for various industrial solutions. The impact of these vulnerabilities is far-reaching, affecting systems such as PCS 7, TIA Portal, STEP 7, SIMATIC HMI, SIMOTION, SIMATIC NET, SINAMICS, and SIMOCODE.

****The Alarming Discovery****

OTORIO Research first alerted Siemens to these vulnerabilities last year, highlighting their severity, particularly because ALM is enabled by default on all PCS 7 servers they tested. Earlier this year, they detailed the potential attack vectors associated with these vulnerabilities, emphasizing the urgency of patching or mitigating them. This warning was essential because the successful exploitation of these vulnerabilities could result in significant damage.

In their latest disclosure, OTORIO provides additional technical details that shed light on these vulnerabilities, helping stakeholders better understand and enhance the security of affected systems.

****Understanding ALM’s Role****

Siemens ALM, while often bundled with other Siemens products during installation, is a separate entity that requires independent attention from users. It operates on a client-server architecture, communicating over TCP port 4410. The service component runs with SYSTEM privileges and manages licenses on the system, while users can connect to it locally or remotely through the client application.

Authentication is not mandatory, but some operations are restricted to remote connections. Default operations are considered safe, which means there are no built-in security measures for communication between the ALM client and server.

****Vulnerabilities Unveiled****

One of the critical vulnerabilities, identified as CVE-2022-43513, allows malicious actors to move files within the target machine. This could potentially lead to license issues due to inadequate path verification. However, the real danger comes from another vulnerability, CVE-2022-43514, which enables attackers to bypass path sanitization.

This vulnerability permits arbitrary file movement between the target machine and an arbitrary network share controlled by the attacker, ultimately granting them SYSTEM-level privileges on the target system.

****Executing Remote Code****

The exploitation of these vulnerabilities can lead to remote code execution (RCE), achieved through multiple file rename and move operations. Attackers can replace and restart the ALM service executable, effectively taking control of the affected system.

Watch as OTORIO researchers demonstrate ALM remote code execution

****Mitigation and Hardening****

Given the widespread impact of these vulnerabilities, immediate mitigation is critical. Users are strongly advised to update to the latest version of the Automation License Manager. Additionally, implementing additional security precautions and following Siemens’ hardening guidelines is recommended. Users should consider disabling the ALM remote connection option, even if it’s enabled by default, to further enhance security.

In conclusion, the vulnerabilities in Siemens ALM serve as a reminder of the importance of cybersecurity in critical industrial systems. Prompt action is necessary to prevent potential exploitation, and users are encouraged to follow best practices and hardening guidelines to safeguard their systems.

1. Crit.IX: Flaws in Honeywell Experion DCS Risk Critical Industries
2. WinRAR users update your software as 0-day vulnerability is found
3. Controller-level flaws let hackers physically damage moving bridges