0DAY.news (Copyright © 2023) — OTORIO, a cybersecurity research team based in Tel Aviv recently uncovered and reported two zero-day vulnerabilities in Siemens Automation License Manager (ALM).

These vulnerabilities have the potential to allow attackers to remotely execute code on targeted systems. If exploited these weaknesses could compromise systems used in manufacturing and power generation. Siemens has responded promptly by releasing security advisories for these vulnerabilities. Is actively working on a fix. To mitigate the risks users are strongly urged to upgrade to the version of ALM or follow the workarounds provided in the advisories. This discovery serves as a reminder of the essentiality of keeping systems up-to-date and secure.

OTORIO’s dedicated cybersecurity researchers have recently made findings regarding zero-day vulnerabilities present in Siemens ALM (Automation License Manager). This critical component is integral to managing licenses for solutions including PCS 7 TIA Portal STEP 7 SIMATIC HMI, SIMOTION SIMATIC NET, SINAMICS, and SIMOCODE.

The Alarming Discovery
year OTORIO Research first alerted Siemens about these vulnerabilities emphasizing their severity. Of concern was that ALM was found to be enabled by default, on all tested PCS 7 servers.
This year they provided information, about the possible ways in which these vulnerabilities could be exploited. The urgency to address and fix these issues was emphasized, as they have the potential to cause harm.

In their disclosure, OTORIO has shared technical insights that shed light on these vulnerabilities. This will help stakeholders gain an understanding and improve the security of affected systems.

Understanding the Role of ALM
Siemens ALM is an entity that requires attention from users although it is often included with other Siemens products during installation. It functions on a client-server architecture and communicates through TCP port 4410. The service component operates with SYSTEM privileges. Manages licenses on the system while users can connect to it locally or remotely using the client application.

Authentication is not mandatory. Certain operations are restricted to connections. By default operations are considered secure; however, there are no security measures in place for communication between the ALM client and server.

Revealing Vulnerabilities
One of the vulnerabilities, known as CVE 2022 43513 permits actors to move files within the targeted machine. This could potentially result in license issues due, to path verification. However, a significant threat lies in another vulnerability called CVE 2022 43514 which allows attackers to bypass path sanitization measures.
This security flaw allows the attacker to move files, between the target machine and a network share they control giving them high-level access to the target system.

Executing Code Remotely
Exploiting these vulnerabilities can lead to code execution (RCE) by performing file rename and move operations. Attackers can. Restart the ALM service effectively taking over the affected system.

Mitigation and Strengthening Security
Considering the impact of these vulnerabilities it’s crucial to take action for mitigation. Users are strongly advised to update their Automation License Manager to the latest version. Additionally, it is recommended to implement security measures and follow Siemens guidelines for strengthening security. It may be wise for users to disable the ALM connection option even if it is enabled by default as a step towards enhancing security.

In summary, these vulnerabilities in Siemens ALM serve as a reminder of how important cybersecurity is in industrial systems. Taking action is necessary to prevent exploitation so users are encouraged to adhere to best practices and follow guidelines, for securing their systems.