Full Report
A vulnerability was identified in the Automation License Manager software that could be triggered by sending specially crafted packets to port 4410/tcp of an affected system. This could cause a denial-of-service preventing legitimate users from using the system. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial-of-Service in Siemens Automation License Manager
## CVE Details
- **CVE ID:** CVE-2024-44087
- **CVSS Score:** 8.6 (High) [v3.1] / 9.2 (Critical) [v4.0]
- **CWE:** CWE-190 (Integer Overflow or Wraparound)
## Affected Systems
- **Products:** Siemens Automation License Manager (ALM)
- **Versions:**
- Automation License Manager V5: All versions
- Automation License Manager V6.0: All versions prior to V6.0 SP12 Upd3
- Automation License Manager V6.2: All versions prior to V6.2 Upd3
- **Configurations:** Systems where the ALM service is listening on port 4410/tcp (especially if "Allow Remote Connections" is enabled).
## Vulnerability Description
Affected versions of the Automation License Manager do not properly validate specific fields in incoming network packets received on port 4410/tcp. An unauthenticated remote attacker can send specially crafted packets to trigger an integer overflow. This leads to an application crash, resulting in a Denial-of-Service (DoS) state. Because many Siemens software products rely on ALM for license verification, this crash can prevent those dependent products from functioning correctly.
## Exploitation
- **Status:** Not exploited (No reports of exploitation in the wild at this time; reported via coordinated disclosure).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The application crashes, rendering the licensing service unavailable).
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **Automation License Manager V6.0:** Update to V6.0 SP12 Upd3 or later.
- **Automation License Manager V6.2:** Update to V6.2 Upd3 or later.
- **Note:** No fix is currently planned for Automation License Manager V5; users should migrate to a supported version or apply workarounds.
### Workarounds
In cases where patches cannot be applied immediately:
- **Disable Remote Access:** Uncheck "Allow Remote Connections" in the Automation License Manager settings menu.
- **Network Filtering:** If remote connections are required, use firewalls to restrict access to port 4410/tcp only to known, trusted systems.
## Detection
- **Indicators of Compromise:** Unexpected crashing of the `ALM` service; service logs indicating malformed packets or unexpected restarts.
- **Detection methods and tools:** Monitor network traffic for unusual or malformed traffic directed at port 4410/tcp. Use endpoint monitoring to alert on the termination of the Automation License Manager process.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-103653[.]html
- **Download Link:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/114358/
- **Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security