Siemens License Manager Vulnerabilities Allow ICS Hacking

The Siemens Automation License Manager is affected by two serious vulnerabilities that could be chained to hack industrial control systems (ICS), according to industrial cybersecurity firm Otorio. 

On January 10, Siemens released its first round of Patch Tuesday updates for 2023, addressing a total of 20 vulnerabilities affecting the company’s products. 

One of the six advisories published at the time describes two high-severity security holes discovered by a researcher from Otorio in the Siemens Automation License Manager (ALM), which is designed for centrally managing license keys for Siemens software.

One of the flaws, tracked as CVE-2022-43513, can allow a remote, unauthenticated attacker to rename and move license files as a System user. 

The second issue, CVE-2022-43514, allows a remote, unauthenticated attacker to execute operations on files outside the specified root folder. Chaining the two vulnerabilities can lead to remote code execution, Siemens said.

In a blog post published on Tuesday, Otorio explained that most of Siemens’ software products use the ALM by default for license management. This means the vulnerabilities impact organizations that use one of many Siemens products, including the Simatic PCS 7 historian, the Sicam Device Manager, WinCC, TIA Portal, and the DIGSI engineering tool.

According to Otorio, an attacker who has gained access to the targeted organization’s operational technology (OT) network, even with limited permissions, could exploit the vulnerabilities to fully compromise the OT network.

“For example, the PCS 7 Historian, which is used as a repository for industrial process data, can be used as a ‘bridge’ for an attacker to propagate from the corporate network into the OT network. Once an attacker breaches the Historian server, one can potentially gain access to engineering, control, and monitoring systems,” explained Eran Jacob, research team leader at Otorio. 

“An attack could take place not only from the enterprise network. For example, any compromised station with minimal privileges in the network, such as a thin client computer that has access to one of the Siemens servers, could lead to a full compromise of the network,” Jacob added.

Siemens has released an update that should fix the flaws in ALM 6, but the company currently does not plan on releasing a patch for version 5. Workarounds and mitigations are also available. 

Related: Cybersecurity Experts Cast Doubt on Hackers’ ICS Ransomware Claims

Related: InHand Industrial Router Vulnerabilities Expose Internal OT Networks to Attacks

Related: Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs