A vulnerability, which was classified as critical, was found in Siemens Automation License Manager up to 5.3 SP3 (Automation Software). This affects some unknown functionality of the component ALM Service. The manipulation with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.

The weakness was presented 10/13/2016 with Kaspersky Lab (Website). It is possible to read the advisory at securityfocus.com. This vulnerability is uniquely identified as CVE-2016-8564 since 10/07/2016. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1505 according to MITRE ATT&CK.

Applying the patch 5.3 SP3 Update 1 is able to eliminate this problem.It is possible to mitigate the weakness by firewalling tcp/4410. The best possible mitigation is suggested to be patching the affected component.

See 92702 and 92704 for similar entries.

Productinfo

Type

• Automation Software

Vendor

• Siemens

Name

• Automation License Manager

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion