Full Report
Siemens Automation License Manager contains two vulnerabilities which, when combined, could allow an attacker to modify and rename license files, extract licenses and overwrite arbitrary files on the target system potentially leading to privilege escalation and remote code execution. The affected functionality is not available for remote attackers in the default configuration since version V6.0 SP2 of Automation License Manager. Siemens has released an update for Automation License Manager V6 and recommends to update to the latest version. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Combined Path Traversal and File Manipulation in Siemens Automation License Manager
## CVE Details
- **CVE ID:** CVE-2022-43513, CVE-2022-43514
- **CVSS Score:** 8.2 (High) - *Score reflects the chained impact of both flaws.*
- **CWE:**
- CWE-73: External Control of File Name or Path
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
## Affected Systems
- **Products:** Siemens Automation License Manager (ALM)
- **Versions:**
- ALM V5: All versions (No fix planned)
- ALM V6: All versions prior to V6.0 SP9 Update 4
- **Configurations:** Systems where "Allow Remote Connections" is enabled (Note: This is disabled by default starting with V6.0 SP2).
## Vulnerability Description
The Automation License Manager contains two distinct flaws that can be chained together for high-impact exploitation:
1. **CVE-2022-43513:** Allows a remote, unauthenticated user to rename and move license files using SYSTEM privileges because the component does not properly sanitize user-chosen input for file renaming operations.
2. **CVE-2022-43514:** A path traversal vulnerability where the component fails to validate the root path during folder-related operations. This allows operations on files and folders located outside the intended directory.
When combined, an attacker can move/rename arbitrary files and perform directory operations outside the restricted license folder, potentially overwriting critical system files.
## Exploitation
- **Status:** PoC Available (Indicated by CVSS "E:P" / Proof-of-Concept)
- **Complexity:** Medium (High for CVE-2022-43514 independently; Low for CVE-2022-43513)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Ability to extract licenses and potentially access system files)
- **Integrity:** High (Ability to modify, rename, or overwrite arbitrary files as SYSTEM)
- **Availability:** Low (Potential for service disruption via file modification)
- **Overall:** Potential for Privilege Escalation and Remote Code Execution (RCE).
## Remediation
### Patches
- **Automation License Manager V6:** Update to **V6.0 SP9 Upd4** or later.
- **Automation License Manager V5:** No fix planned; users should migrate to a supported version or apply workarounds.
### Workarounds
- **Disable Remote Access:** Navigate to the ALM settings menu and disable "Allow Remote Connections."
- **Network Filtering:** If remote connections are required, restrict access to **TCP Port 4410** to only trusted/authorized source IP addresses.
- **General Hardening:** Follow Siemens’ operational guidelines for Industrial Security to protect network access.
## Detection
- **Indicators of Compromise:** Monitor for unusual file move or rename operations originating from the ALM process (running as SYSTEM), specifically targeting directories outside the standard license storage path.
- **Detection methods and tools:** Audit network logs for unsolicited traffic on port 4410/tcp from unauthorized hosts.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-476715.pdf
- **Download Link:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/114358/
- **Siemens Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security