Thirteen vulnerabilities were found to affect Siemens’ critical software libraries found in medical devices, automobiles and industrial systems.
Forescout Research Labs, with support from Medigate Labs, has discovered 13 new vulnerabilities affecting the Nucleus TCP/IP stack.
We refer to these vulnerabilities collectively as NUCLEUS:13. The newly discovered vulnerabilities allow remote code execution, denial of service, and information disclosure.
Nucleus is used in safety-critical devices such as anesthesia machines and patient monitors in healthcare. The Forescue Research Lab is committed to assisting vendors in identifying affected products and sharing their findings with the cybersecurity community.
This vulnerability, named “NUCLEAUS:13”, affects Nucleus NET, the TCP/IP stack in Nucleus, a real-time operating system owned by Siemens.
Nucleus NET runs on System-on-Chip (SoC) boards found in medical devices, automobiles, smartphones, Internet of Things devices, industrial PLCs, and more.
According to a report published by Forescout and Medigate Labs, the NUCLEUS:13 vulnerability can be used to hijack, crash, or compromise devices running older versions of the Nucleus RTOS.
According to the researchers, the most malicious of these vulnerabilities is CVE-2021-31886, a remote code execution (RCE) issue that has received a rare rating of 9.8 out of 10 due to its severity.
ICS-CERT has published a security advisory to raise awareness of the NUCLEUS:13 vulnerability in U.S. organizations, and Siemens has released a security update to all customers through its private CERT portal
Forescout has also released a proof of concept demo showing how to exploit the NUCLEUS:13 vulnerability to take over vulnerable devices.
As Dashevskyi points out in the video, the attacker only needs to have some kind of network connection to the vulnerable device, and it only takes a few seconds to execute the attack.
Details of the NUCLEUS:13 vulnerability are as follows
NUCLEUS:13の脆弱性の詳細は以下の通りです
CVE ID | 詳細 | 影響を受ける箇所 | 影響 | CVSSv3.1 Score |
---|---|---|---|---|
2021-31344 | An ICMP echo packet with a fake IP option can send an ICMP echo response message to any host on the network. | ICMP | Confused deputy | 5.3 |
2021-31345 | The total length of the UDP payload (set in the IP header) has not been checked. This may cause various side effects, such as information leakage and denial of service, depending on user-defined applications running over the UDP protocol. | UDP | Application- dependent | 7.5 |
2021-31346 | The total length of the ICMP payload set in the IP header has not been checked. This can cause various side effects such as information leakage and denial-of-service conditions, depending on the configuration of network buffers in memory. | IP / ICMP | Information leak / DoS | 8.2 |
2021-31881 | When processing a DHCP OFFER message, the client application may not validate the length of the vendor option, resulting in a Denial-of-Service condition. | DHCP client | DoS | 7.1 |
2021-31882 | DHCP client applications do not verify the length of the Domain Name Server IP option (0x06) when processing DHCP ACK packets. This may result in a Denial-of-Service. | DHCP client | DoS | 6.5 |
2021-31883 | When processing a DHCP ACK message, the client application may not validate the length of the vendor option, resulting in a Denial-of-Service condition. | DHCP client | DoS | 7.1 |
2021-31884 | The DHCP client assumes that the data in the “hostname” option is NULL terminated. If a global hostname variable is not defined, this can cause out-of-bounds reads and writes and denial of service. | DHCP client | Application-dependent | 8.8 |
2021-31885 | The TFTP server application can read the contents of the TFTP memory buffer by sending malformed TFTP commands. | TFTP server | Information leak | 7.5 |
2021-31886 | The FTP server does not properly validate the length of the “USER” command, resulting in a stack-based buffer overflow. This may result in a denial of service condition or remote code execution. | FTP server | RCE | 9.8 |
2021-31887 | The FTP server does not properly validate the length of the “PWD/XPWD” command, resulting in a stack-based buffer overflow. This may result in a denial of service condition or remote code execution. | FTP server | RCE | 8.8 |
2021-31888 | The FTP server does not properly validate the length of the “MKD/XMKD” command, resulting in a stack-based buffer overflow. This may result in a denial of service condition or remote code execution. | FTP server | RCE | 8.8 |
2021-31889 | Illegal TCP packets with corrupted SACK options can cause information leakage and denial of service. | TCP server | DoS | 7.5 |
2021-31890 | The total length of the TCP payload set in the IP header has not been checked. This may cause various side effects, such as information leakage and denial of service, depending on the configuration of network buffers in memory. | TCP server | DoS | 7.5 |
Countermeasures and mitigations for these vulnerabilities
To be fully protected against NUCLEUS:13, a patch must be applied to devices running the vulnerable version of Nucleus.
While Siemens has officially released a patch, equipment vendors using this software will need to provide their own updates to their customers.
Because embedded devices are mission critical, they are notoriously difficult to patch, but the following mitigations are recommended.
Discover and inventory the devices that Nucleus is running on.
Forescout Research Labs has released an open source script that uses active fingerprinting to detect devices running Nucleus. This script is constantly being updated with new signatures to keep up with the latest developments in our research.
Implement segmentation control and perform proper network hygiene
Reduce risk by restricting communication paths to the outside world and quarantining or containing vulnerable devices within a zone until patches can’t or won’t be applied.
Monitors vendor released patches and develops remediation plans for inventory of vulnerable assets while balancing business risk and business continuity requirements
Monitor all network traffic for malicious packets attempting to take advantage of known vulnerabilities or zero-day possibilities. Anomalous or malicious traffic should be blocked, or at least the network operator should be alerted to its presence.
CVE | Affected Component | Mitigation |
2021-31885 2021-31886 2021-31887 2021-31888 | FTP / TFTP server | Disable unneeded FTP/TFTP or whitelist the connection. |
2021-31881 2021-31882 2021-31883 2021-31884 | DHCP client | Use a switch-based DHCP control mechanism: Network switches that support the protocol can be configured to block DHCP responses from unauthorized servers. Firewalls can also be used to provide the same functionality. As a last resort, use a static IP address. |
2021-31344 2021-31345 2021-31346 2021-31889 2021-31890 | TCP / UDP / IP / ICMP | Monitor the traffic and block unauthorized packets. It is sufficient to place vulnerable devices behind a properly configured firewall. |
Comments