CVE-2011-4529
published 2012-01-08CVE-2011-4529: Multiple buffer overflows in Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allow remote attackers to execute arbitrary code via a long…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.16%
93.5th percentile
Multiple buffer overflows in Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allow remote attackers to execute arbitrary code via a long serialid field in an _licensekey command, as demonstrated by the (1) check_licensekey or (2) read_licensekey command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siemens | automation_license_manager | <= 5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for oversized `serialid` field values in `_licensekey` family commands (check_licensekey, read_licensekey) sent over TCP port 4410 to ALM service — these indicate buffer overflow exploitation attempts. ↗
- →Alert on any network traffic to TCP port 4410 from untrusted/external sources; ALM should only be reachable from trusted internal hosts. ↗
- →Detect loading or instantiation of the ActiveX CLSID E57AF4A2-EF57-41D0-8512-FECDA78F1FE7 (ALMListView.ALMListCtrl) from Internet Explorer, which may indicate exploitation of the improper input validation / file overwrite vulnerability. ↗
- →Monitor for get_target_ocx_param and send_target_ocx_param commands on TCP 4410 which trigger a NULL pointer dereference (CVE-2011-4531) and can cause denial of service. ↗
- ·The buffer overflow affects ALM versions 4.0 through 5.1+SP1+Upd1 only; the improper input validation (ActiveX) vulnerability has a wider affected range of versions 2.0 through 5.1+SP1+Upd2. ↗
- ·On some systems the NULL pointer and exception conditions do not cause immediate denial of service but leave thread resources active, so absence of a crash does not confirm the system is unaffected. ↗
- ·The file-overwrite primitive via almaxcx.dll Save method writes only 2 bytes (\r\n); code execution via content control was not confirmed by the researcher. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens Automation License Manager Vulnerabilities
cisa_ics·2011-12-02
Siemens Automation License Manager Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens Automation License Manager Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-361-01
## Overview
This Advisory is a follow-up to the original Alert titled “ICS-ALERT-11-332-01A—Siemens Automation License Manager Vulnerabilities” that was published December 02, 2011, on the ICS-CERT web page.
ICS-CERT is aware of publicly disclosed reports of four vulnerabilities in Siemens Automation License Manager (ALM) application. These vulnerabilities include:
- Buffer overflow
- Exception
- Null pointer
- Improper input validation.
Independent researcher Luigi A
GHSA
GHSA-5f2r-rx93-xgcp: Multiple buffer overflows in Siemens Automation License Manager (ALM) 4
ghsa_unreviewed·2022-05-17
CVE-2011-4529 [HIGH] CWE-119 GHSA-5f2r-rx93-xgcp: Multiple buffer overflows in Siemens Automation License Manager (ALM) 4
Multiple buffer overflows in Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allow remote attackers to execute arbitrary code via a long serialid field in an _licensekey command, as demonstrated by the (1) check_licensekey or (2) read_licensekey command.
No detection rules found.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/almsrvx_1-adv.txthttp://support.automation.siemens.com/WW/llisapi.dll/57252401?func=ll&objId=57252401&objAction=csView&nodeid0=17323948&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&load=contenthttp://support.automation.siemens.com/WW/view/en/114358http://www.us-cert.gov/control_systems/pdf/ICSA-11-361-01.pdfhttp://aluigi.altervista.org/adv/almsrvx_1-adv.txthttp://support.automation.siemens.com/WW/llisapi.dll/57252401?func=ll&objId=57252401&objAction=csView&nodeid0=17323948&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&load=contenthttp://support.automation.siemens.com/WW/view/en/114358http://www.us-cert.gov/control_systems/pdf/ICSA-11-361-01.pdf
2012-01-08
Published