Details of VAR-201610-0038

ID

VAR-201610-0038

CVE

CVE-2016-8563

TITLE

Siemens Automation License Manager Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2016-005414

DESCRIPTION

Siemens Automation License Manager (ALM) before 5.3 SP3 Update 1 allows remote attackers to cause a denial of service (ALM service outage) via crafted packets to TCP port 4410. Siemens Automation License Manager (ALM) is a software that centrally manages license keys for various Siemens software products. An SQL-injection vulnerability 2. A directory-traversal vulnerability 3. A denial-of-service vulnerability An attacker may leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and create, delete or move arbitrary files from the system, or cause denial-of-service condition

Trust: 2.52

sources: NVD: CVE-2016-8563 // JVNDB: JVNDB-2016-005414 // CNVD: CNVD-2016-08772 // BID: 93553 // VULHUB: VHN-97383

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-08772

AFFECTED PRODUCTS

vendor:	siemens	model:	automation license manager	scope:	lte	version:	5.3	Trust: 1.0
vendor:	siemens	model:	automation license manager	scope:	eq	version:	5.3	Trust: 0.9
vendor:	siemens	model:	automation license manager	scope:	lt	version:	5.3 sp3 update 1	Trust: 0.8
vendor:	siemens	model:	automation license manager sp3 update	scope:	lt	version:	v5.31	Trust: 0.6
vendor:	siemens	model:	automation license manager	scope:	eq	version:	5.2	Trust: 0.3
vendor:	siemens	model:	automation license manager sp1	scope:	eq	version:	5.1	Trust: 0.3
vendor:	siemens	model:	automation license manager	scope:	eq	version:	5.1	Trust: 0.3
vendor:	siemens	model:	automation license manager	scope:	eq	version:	5.0	Trust: 0.3
vendor:	siemens	model:	automation license manager	scope:	eq	version:	4.0	Trust: 0.3
vendor:	siemens	model:	automation license manager sp3 update	scope:	ne	version:	5.31	Trust: 0.3

sources: CNVD: CNVD-2016-08772 // BID: 93553 // JVNDB: JVNDB-2016-005414 // CNNVD: CNNVD-201610-423 // NVD: CVE-2016-8563

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-8563
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-8563
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-08772
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201610-423
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-97383
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-8563
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-08772
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-97383
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-8563
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-08772 // VULHUB: VHN-97383 // JVNDB: JVNDB-2016-005414 // CNNVD: CNNVD-201610-423 // NVD: CVE-2016-8563

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-97383 // JVNDB: JVNDB-2016-005414 // NVD: CVE-2016-8563

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-423

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201610-423

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-005414

PATCH

title:	SSA-284342	url:	http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-284342.pdf	Trust: 0.8
title:	Siemens Automation License Manager patches for denial of service vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/82266	Trust: 0.6
title:	Siemens Automation License Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64799	Trust: 0.6

sources: CNVD: CNVD-2016-08772 // JVNDB: JVNDB-2016-005414 // CNNVD: CNNVD-201610-423

EXTERNAL IDS

db:	NVD	id:	CVE-2016-8563	Trust: 3.4
db:	SIEMENS	id:	SSA-284342	Trust: 2.3
db:	ICS CERT	id:	ICSA-16-287-02	Trust: 2.2
db:	BID	id:	93553	Trust: 1.4
db:	SECTRACK	id:	1037011	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-005414	Trust: 0.8
db:	CNNVD	id:	CNNVD-201610-423	Trust: 0.7
db:	CNVD	id:	CNVD-2016-08772	Trust: 0.6
db:	VULHUB	id:	VHN-97383	Trust: 0.1

sources: CNVD: CNVD-2016-08772 // VULHUB: VHN-97383 // BID: 93553 // JVNDB: JVNDB-2016-005414 // CNNVD: CNNVD-201610-423 // NVD: CVE-2016-8563

REFERENCES

url:	http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-284342.pdf	Trust: 2.3
url:	https://ics-cert.us-cert.gov/advisories/icsa-16-287-02	Trust: 2.2
url:	http://www.securityfocus.com/bid/93553	Trust: 1.1
url:	http://www.securitytracker.com/id/1037011	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8563	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8563	Trust: 0.8
url:	https://support.industry.siemens.com/cs/document/114358/automation-license-manager-(alm)-authorsw-and-authors-handling-programs-and-authorizing-and-licensing-simatic-industry-software?dti=0&lc=en-ww	Trust: 0.3

sources: CNVD: CNVD-2016-08772 // VULHUB: VHN-97383 // BID: 93553 // JVNDB: JVNDB-2016-005414 // CNNVD: CNNVD-201610-423 // NVD: CVE-2016-8563

CREDITS

Sergey Temnikov and Vladimir Dashchenko from Critical Infrastructure Defence Team, Kaspersky Lab.

Trust: 0.3

sources: BID: 93553

SOURCES

db:	CNVD	id:	CNVD-2016-08772
db:	VULHUB	id:	VHN-97383
db:	BID	id:	93553
db:	JVNDB	id:	JVNDB-2016-005414
db:	CNNVD	id:	CNNVD-201610-423
db:	NVD	id:	CVE-2016-8563

LAST UPDATE DATE

2025-04-13T23:36:20.321000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-08772	date:	2016-10-13T00:00:00
db:	VULHUB	id:	VHN-97383	date:	2017-07-29T00:00:00
db:	BID	id:	93553	date:	2016-10-26T05:07:00
db:	JVNDB	id:	JVNDB-2016-005414	date:	2016-10-20T00:00:00
db:	CNNVD	id:	CNNVD-201610-423	date:	2016-10-14T00:00:00
db:	NVD	id:	CVE-2016-8563	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-08772	date:	2016-10-13T00:00:00
db:	VULHUB	id:	VHN-97383	date:	2016-10-13T00:00:00
db:	BID	id:	93553	date:	2016-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2016-005414	date:	2016-10-20T00:00:00
db:	CNNVD	id:	CNNVD-201610-423	date:	2016-10-14T00:00:00
db:	NVD	id:	CVE-2016-8563	date:	2016-10-13T10:59:03.190