Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Siemens Automation License Manager almsrv64x.exe int64 Overflow Unauthenticated DoS

High

Synopsis

An int64 overflow vulnerability exists in Siemens Automation License Manager (ALM) almsrv64x.exe v602.1.0.1. An unauthenticated remote attacker can exploit it to crash the process.

almsrv64x.exe listens on TCP port 4410 by default and processes licensing messages having the following format:

// be = big endian

struct order_msg
{
   header hdr;
   body   bd;
};

struct header
{
   be32 OrderCode; // order command code
   be32 OrderSize; // size of order (msg) data 
};

struct body
{
   byte size[]; // data size encoded in variable number of bytes
                // size range                      encoded as  
                // 0 - 0xfe                        b1
                // 0xff - 0xfffe                   ff b1 b2
                // 0xffff - 0xfffffffe             ff ff ff b1 b2 b3 b3
                // 0xffffffff - 0xffffffffffffffff ff ff ff ff ff ff ff b1 b2 b3 b4 b5 b6 b7 b8
   byte data[size]; // XML data
};

almsrv64x.exe has a function to check if the body size is within the allocated buffer. If so, the function returns normally. Otherwise, an exception is thrown:

[...]
.text:00007FF7F6D83ED0  sub     rsp, 48h
.text:00007FF7F6D83ED4 rdx = size
.text:00007FF7F6D83ED4  add     rdx, [rcx+CSocketStream.pos] ; VULN: rdx = 0xffffffffffffffff ->
.text:00007FF7F6D83ED4                          ; int64 overflow
.text:00007FF7F6D83ED8  cmp     rdx, [rcx+CSocketStream.AllocSize]
.text:00007FF7F6D83EDC  ja      short loc_7FF7F6D83EE3
.text:00007FF7F6D83EDE  add     rsp, 48h
.text:00007FF7F6D83EE2  retn
.text:00007FF7F6D83EE3 ; ---------------------------------------------------------------------------
.text:00007FF7F6D83EE3
.text:00007FF7F6D83EE3 loc_7FF7F6D83EE3:        ; CODE XREF: CSocketStream_EnsureNbytesInBuf+C↑j
.text:00007FF7F6D83EE3  lea     rdx, aCmemstreamTrie_0 ; "CMemStream - tried to read behind buffe"...
.text:00007FF7F6D83EEA  lea     rcx, [rsp+48h+pExceptionObject]
.text:00007FF7F6D83EEF  call    sub_7FF7F6D52F90
.text:00007FF7F6D83EF4  lea     rdx, __TI3?AVout_of_range@std@@ ; pThrowInfo
.text:00007FF7F6D83EFB  lea     rcx, [rsp+48h+pExceptionObject] ; pExceptionObject
.text:00007FF7F6D83F00  call    _CxxThrowException
[...]

If the attacker specifies a body size of 0xffffffffffffffff, it would cause an int64 overflow in the check function and bypass the check in the function. This would trick an XML processing function into thinking that the XML data is 0xffffffffffffffff bytes, which can result in a memory read access violation, terminating the almsrv64x.exe process:

(318.19f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rax=00000000fffffff7 rbx=ffffffffffffffff rcx=00007ff7f6d86f5e
rdx=0000000000000005 rsi=0000000000000000 rdi=000001e0e04e306f
rip=00007ff7f6d86e04 rsp=000000d9dc7fccd0 rbp=00000000ffffffff
 r8=0000000002488f91  r9=0000000002488f91 r10=0000000000000000
r11=000000d9dc7fcb60 r12=00007ff7f6b80000 r13=0000000000000005
r14=000000d9dc7fdc68 r15=0000000000000002
iopl=0         nv up ei pl nz ac pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010213
almsrv64x+0x206e04:
00007ff7`f6d86e04 410fbe0438      movsx   eax,byte ptr [r8+rdi] ds:000001e0`e296c000=??
[...]

Solution

A patch has been release for version 6.2.  See vendor advisory for details.

Disclosure Timeline

June 4, 2024 - Vulnerability discovered.
July 3, 2024 - Vulnerability disclosed.
July 22, 2024 - Follow up email to confirm disclosure received sent.
August 14th, 2024 - Received encrypted email from vendor confirming they are working on fix.
September 10th, 2024 - Received email, but couldn't decrypt. Re-sent public key to Siemens.
September 12th, 2024 - Received confirmation from vendor that fix has been published.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2024-44087
Tenable Advisory ID: TRA-2024-39
CVSSv3 Base / Temporal Score:
8.6/7.7
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Affected Products:
Automation License Manager V5, V6.0, and V6.2
Risk Factor:
High

Advisory Timeline

9/12/2024 - Published