Independent researcher Luigi Auriemma publicly disclosed the vulnerabilities – buffer overflow, exception, null pointer, and improper input validation – without coordination with Siemens, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), or other coordinating entity, according to an ICS-CERT advisory.
The ALM application centrally manages licenses for various Siemens products, which contact ALM either locally or remotely to verify their license. This software is used in the food and beverage, water and wastewater, oil and gas, and chemical industries.
Siemens software products that include ALM Version 4.0 to 5.1+SP1+Upd1 are affected by the buffer overflow, exception, and null pointer vulnerabilities, and ALM Version 2.0 to 5.1+SP1+Upd2 are affected by the improper input validation vulnerability.
Siemens has confirmed these vulnerabilities, which can be exploited remotely, and released a patch to address the issue; ICS-CERT has not validated the patch.
The advisory explained that crafting a working exploit for these vulnerabilities requires a moderate skill level, and social engineering is required to exploit the improper input validation vulnerability.