After confirming the vulnerabilities, Siemens released a patch to fix four holes in its Automation License Manager (ALM) application.
The patch is for four vulnerabilities which include a buffer overflow, an exception, null pointer and improper input validation, according to a report from ICS-CERT. ICS-CERT has not validated the patch.
Independent researcher Luigi Auriemma publicly disclosed the four vulnerabilities along with proof-of-concept (PoC) exploit code.
Siemens software products that include ALM Version 4.0 to 5.1+SP1+Upd1 suffer from the buffer overflow, exception, and null pointer vulnerabilities. Siemens software products that include ALM Version 2.0 to 5.1+SP1+Upd2 suffer from the improper input validation vulnerability.
Successful exploitation of these vulnerabilities could result in denial of service, write to memory, file corruption, or remote code execution.
Siemens ALM is an application that centrally manages licenses for various Siemens products. The products contact ALM either locally or remotely to verify their license. This software sees use in industries including: food and beverage, water and wastewater, oil and gas, and chemical.
For the buffer overflow, ALM does not check the length of a field used in various commands sent to the server via TCP port 4410. This vulnerability may lead to remote code execution.
CVE-2011-4529 is the number assigned to this vulnerability. Siemens calculated a CVSS V2 base score of 8.3.
For the exception, ALM does not check the length of fields used in various commands sent to the server via TCP Port 4410. These vulnerabilities can cause exceptions within the application, which cause the application to quit and enable denial-of-service attacks.
CVE-2011-4530 is the number assigned to this vulnerability. Siemens calculated a CVSS V2 base score of 6.1.
For the null pointer, ALM does not check the content of a field used for command sent to the server via TCP port 4410. This vulnerability causes a null pointer dereference, which can cause the application to quit and enable a Denial-of-Service attack.
CVE-2011-4531 is the number assigned to this vulnerability. Siemens calculated a CVSS v2 base score of 6.1.
For the improper input validation, ALM uses an ActiveX control in its graphical user interface. This control exports a method that allows saving a file to the local hard disk. A malicious web site the user accesses with Internet Explorer may delete the content of any file on the system the user can write to, and create new files.
CVE-2011-4532 is the number assigned to this vulnerability. Siemens calculated a CVSS v2 base score of 8.8.
These vulnerabilities are all remotely exploitable. Crafting a working exploit for these vulnerabilities would require a moderate skill level. Social engineering is one area that will help exploit the improper input validation vulnerability.
Siemens released a patch to address these vulnerabilities. Customers of vulnerable versions of Siemens ALM should deploy the patch.
For more information, please click on the Siemens’ Security Advisory announcement.