Security-relevant vulnerabilities have been found in older versions of the ALM (>= V4.0) which can adversely affect the availability of the licensing service in the event of deliberate manipulation. In certain situations there might be a risk of foreign programming code being executed in the event of a targeted attack.
If an older ALM version is in use, we therefore recommend installing the update of the Automation License Manager at the earliest opportunity. The update can be downloaded at the following link:
Entry ID 114358
If updating the ALM is currently - or generally - not possible, the following protective measures should be reviewed and implemented accordingly:
- Restricting or blocking ALM communication (standard port 4410/TCP) at network boundaries to or between production areas by means of suitable security measures such as firewalls.
- Deactivating remote access to the ALM service with systems that do not operate as license servers (e.g. providing floating licenses for other systems). This option can be found in the ALM settings in the "Connection" register.
- Avoid opening websites from unknown or untrustworthy sources using the Internet Explorer.
You can find more security measures as well as general information on the subject of industrial security at www.siemens.com/industrialsecurity