CVE-2024-44087
📋 TL;DR
An integer overflow vulnerability in Siemens Automation License Manager allows unauthenticated remote attackers to crash the application via specially crafted network packets on port 4410/tcp. This denial of service prevents legitimate users from accessing products that rely on this license verification service. All users of affected Automation License Manager versions are vulnerable.
💻 Affected Systems
- Siemens Automation License Manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for all products relying on license verification, potentially halting industrial operations until service is restored.
Likely Case
Service disruption causing temporary unavailability of licensed software features in industrial environments.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external exploitation.
🎯 Exploit Status
The vulnerability requires sending malformed packets to port 4410, which is relatively straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V6.0 SP12 Upd3, V6.2 Upd3
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-103653.html
Restart Required: Yes
Instructions:
1. Download the appropriate update from Siemens Industrial Security. 2. Stop the Automation License Manager service. 3. Install the update. 4. Restart the service. 5. Verify the version is updated.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to port 4410/tcp using firewall rules to only trusted systems.
Windows Firewall: New-NetFirewallRule -DisplayName "Block ALM Port" -Direction Inbound -LocalPort 4410 -Protocol TCP -Action Block
Linux iptables: iptables -A INPUT -p tcp --dport 4410 -j DROP
Service Isolation
allRun Automation License Manager on a dedicated server with minimal network exposure.
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to port 4410/tcp to only absolutely necessary systems.
- Monitor for unusual traffic patterns or repeated connection attempts to port 4410 and implement rate limiting where possible.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Automation License Manager against affected versions. If using V5, V6.0 < SP12 Upd3, or V6.2 < Upd3, the system is vulnerable.Check Version:
Check via Siemens Automation License Manager interface or registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Siemens\Automation\License Manager\VersionVerify Fix Applied:
Verify the version is V6.0 SP12 Upd3 or V6.2 Upd3 or later. Test service functionality and monitor for crashes.📡 Detection & Monitoring
Log Indicators:
- Application crash logs from Automation License Manager
- Windows Event Logs showing service termination (Event ID 7034)
Network Indicators:
- Unusual traffic patterns to port 4410/tcp
- Multiple connection attempts from single sources
SIEM Query:
source="windows" AND (event_id=7034 AND process_name="*license*manager*") OR (destination_port=4410 AND protocol="tcp" AND bytes_sent>1000)