Full Report
A vulnerability was identified in the Automation License Manager software before V5.2 that could be triggered by sending specially crafted packets to port 4410/tcp of an affected system. This could cause a denial of service preventing legitimate users from using the system. Siemens has released a new version for Automation License Manager and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Denial of Service in Siemens Automation License Manager (ALM)
## CVE Details
- **CVE ID:** CVE-2012-4691
- **CVSS Score:** 8.6 (High) [v3.1] / 9.2 (Critical) [v4.0]
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** Siemens Automation License Manager (ALM)
- **Versions:** All versions from V4.0 up to (but not including) V5.2.
- **Configurations:** Systems where port 4410/tcp is accessible and "Allow Remote Connections" is enabled.
## Vulnerability Description
The vulnerability is a memory leak flaw triggered by processing specially crafted packets sent to port 4410/tcp. Because the application fails to properly manage memory resources when handling these requests, a remote unauthenticated attacker can exhaust system resources, leading to an application crash. This results in a Denial of Service (DoS) that prevents legitimate users from utilizing software products that depend on ALM for license verification.
## Exploitation
- **Status:** PoC availability or exploitation in the wild not explicitly confirmed in the advisory, but documented since 2012.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Prevents use of the license manager and dependent industrial software).
## Remediation
### Patches
- **Update to ALM V5.2 or later:** Siemens recommends upgrading to the latest version to resolve the flaw.
- **Download Link:** hxxps[://]support[.]industry[.]siemens[.]com/cs/ww/en/view/114358/
### Workarounds
- **Disable Remote Connections:** In the ALM settings menu, uncheck "Allow Remote Connections" if remote licensing is not required.
- **Access Control:** Restrict access to port 4410/tcp strictly to trusted systems only.
- **Firewall Configuration:** Ensure the Windows Firewall blocks port 4410/tcp for all networks except the local subnet (default Windows Firewall behavior).
## Detection
- **Indicators of Compromise:** Unexpected crashing of the `sirlicense.exe` service (or associated ALM processes), exhaustion of system RAM, and failure of Siemens software to validate licenses.
- **Detection methods and tools:** Monitor network traffic for unusual or malformed packets directed at port 4410/tcp. Use endpoint monitoring to track memory usage spikes associated with the Automation License Manager.
## References
- **Siemens Advisory (SSA-783261):** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-783261[.]pdf
- **Industrial Security Guidelines:** hxxps[://]www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Siemens ProductCERT:** hxxps[://]www[.]siemens[.]com/cert/advisories