CVE-2024-44087: Siemens License Manager DoS Vulnerability

CVE-2024-44087 Overview

CVE-2024-44087 is an integer overflow vulnerability [CWE-190] in Siemens Automation License Manager (ALM). The flaw exists in the network packet parser listening on TCP port 4410. Affected applications fail to properly validate certain fields in incoming network packets. An unauthenticated remote attacker can trigger the overflow to crash the service. The crash creates a denial of service condition that prevents downstream Siemens products from completing license verification, blocking legitimate users from operating dependent applications.

Critical Impact

Remote unauthenticated attackers can crash the Automation License Manager over the network, disrupting any Siemens product that depends on it for license validation.

Affected Products

• Siemens Automation License Manager V5 (all versions)
• Siemens Automation License Manager V6.0 (versions prior to V6.0 SP12 Upd3)
• Siemens Automation License Manager V6.2 (versions prior to V6.2 Upd3)

Discovery Timeline

• 2024-09-10 - CVE-2024-44087 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-44087

Vulnerability Analysis

The Automation License Manager exposes a network service on TCP port 4410 to handle license queries from Siemens engineering and runtime products. The service parses incoming packets containing length and size fields used to allocate buffers and iterate over packet contents. Because these fields are not properly validated, an attacker-controlled value can wrap around the maximum representable integer.

When the arithmetic wraps, subsequent allocations or loop bounds reference memory in inconsistent states. The application accesses invalid memory and terminates. Because the listener accepts traffic without authentication, any network-reachable attacker can repeatedly crash the process. Downstream Siemens TIA Portal, WinCC, Step 7, and similar products that consult ALM for licensing then fail to start or operate.

Root Cause

The root cause is missing bounds validation on size-related fields in the ALM network protocol parser. Untrusted input flows into integer arithmetic that controls memory operations, satisfying the classic integer overflow pattern catalogued under [CWE-190]. Siemens addresses the issue in V6.0 SP12 Upd3 and V6.2 Upd3 by adding input validation. V5 receives no fix and reaches end of support.

Attack Vector

Exploitation requires only TCP reachability to port 4410 on the host running ALM. The attacker sends a single crafted packet with manipulated length or count fields. No credentials, user interaction, or prior foothold are required. Repeating the packet sustains the denial of service. Because ALM is commonly deployed on operator workstations and engineering stations within OT networks, exposure inside flat industrial networks is significant.

The vulnerability does not yield code execution or data disclosure based on the vendor description. Impact is confined to availability of the license manager and any dependent Siemens products.

No public proof-of-concept code is available. See the Siemens Security Advisory SSA-103653 for vendor technical details.

Detection Methods for CVE-2024-44087

Indicators of Compromise

• Unexpected termination of the almsrv*.exe or alm.exe process on hosts running Automation License Manager
• Siemens engineering or runtime products reporting license verification failures shortly after a TCP connection to port 4410 from an external source
• Repeated short-lived inbound connections to TCP/4410 from unauthorized hosts
• Application or Windows event log entries indicating ALM service crashes and automatic restarts

Detection Strategies

• Monitor TCP/4410 traffic for connections originating outside the authorized engineering subnet
• Alert on ALM process crashes and service restarts correlated with inbound TCP/4410 sessions
• Inspect packet sizes and field values on port 4410 using deep packet inspection capable of decoding the ALM protocol
• Baseline normal ALM client populations and flag new source IPs querying the license service

Monitoring Recommendations

• Forward Windows application and system event logs from ALM hosts to a central SIEM for crash correlation
• Capture NetFlow or full packet capture on segments hosting ALM to support post-incident analysis
• Track license verification failures across dependent Siemens products as a secondary signal of upstream ALM disruption

How to Mitigate CVE-2024-44087

Immediate Actions Required

• Upgrade Automation License Manager V6.0 to V6.0 SP12 Upd3 or later
• Upgrade Automation License Manager V6.2 to V6.2 Upd3 or later
• Migrate any V5 deployments to a supported V6 branch, since V5 receives no fix
• Restrict inbound access to TCP/4410 to known engineering workstations using host and network firewalls

Patch Information

Siemens released fixed versions V6.0 SP12 Upd3 and V6.2 Upd3 that add validation to the affected network packet fields. Apply the updates on every host running ALM, including standalone license servers and workstations where ALM is bundled with engineering software. Refer to Siemens Security Advisory SSA-103653 for download locations and product-specific guidance.

Workarounds

• Block TCP/4410 at the perimeter and between OT cells, allowing the port only from authenticated license clients
• Place ALM hosts behind a jump server and require VPN access for remote license consumers
• Follow Siemens operational guidelines for industrial security, including network segmentation per IEC 62443
• Disable the ALM network listener on hosts that only require local license checks, where supported by the product configuration

# Example Windows Firewall rule restricting ALM port 4410 to a trusted subnet
netsh advfirewall firewall add rule ^
    name="ALM-4410-Restrict" ^
    dir=in protocol=TCP localport=4410 ^
    remoteip=10.20.30.0/24 ^
    action=allow

netsh advfirewall firewall add rule ^
    name="ALM-4410-BlockAll" ^
    dir=in protocol=TCP localport=4410 ^
    action=block