Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

NUCLEUS:13: 13 Vulnerabilities Found in Siemens Nucleus TCP/IP Stack

Thirteen new vulnerabilities have been discovered in the Nucleus TCP/IP stack used in potentially billions of devices.

Background

On November 9, Forescout Research published a report called NUCLEUS:13. The report details research they conducted into the Nucleus NET, the TCP/IP stack of the Siemens owned Nucleus real-time operating system (RTOS), where they found 13 new vulnerabilities. This research is the fifth report of PROJECT:MEMORIA. Prior reports include: INFRA:HALT, a joint project with Forescrout and JFrog Security Research detailing 14 vulnerabilities affecting the NicheStack TCP/IP stack; NAME:WRECK, which details nine vulnerabilities across four TCP/IP stacks, including six vulnerabilities in Nucleus NET; NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details 33 vulnerabilities across four TCP/IP stacks. According to the NUCLEUS:13 report and Siemens, the Nucleus RTOS is used in over 3 billion devices across a wide range of industries including automotive, healthcare and industrial applications.

Analysis

Exploitation of these vulnerabilities can result in remote code execution (RCE), information disclosure and denial-of-service (DoS). The 13 vulnerabilities include:

CVEAffected ComponentPotential ImpactCVSSv3
CVE-2021-31886FTP ServerRCE9.8
CVE-2021-31884DHCP ClientDoS, Out-of-bound reads/writes. Impact depends on how the client is implemented.8.8
CVE-2021-31887FTP ServerRCE8.8
CVE-2021-31888FTP ServerRCE8.8
CVE-2021-31346IP/ICMPInformation leak/DoS8.2
CVE-2021-31889TCP ServerDoS7.5
CVE-2021-31890TCP ServerDoS7.5
CVE-2021-31885TFTP ServerInformation Leak7.5
CVE-2021-31345UDPDoS, Information leak. Impact depends on how UDP is implemented.7.5
CVE-2021-31881DHCP ClientDoS7.1
CVE-2021-31883DHCP ClientDoS7.1
CVE-2021-31882DHCP ClientDoS6.5
CVE-2021-31344ICMPConfused Deputy5.3

FTP: Insecure by design

Four of the highest severity vulnerabilities (CVE-2021-31886, CVE-2021-31887, CVE-2021-31888, CVE-2021-31885) are the result of having a file transfer protocol (FTP) or trivial FTP (TFTP) server enabled. FTP is an insecure protocol which lacks encryption or secure authentication mechanisms. Typically found in legacy applications, FTP can open up an organization to significant risk.

Of these four, CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 can be exploited to achieve RCE. CVE-2021-31886, the most critical vulnerability, can be easily exploited by sending a crafted username via the FTP USER command. When the username exceeds the allocated buffer size, a stack-based buffer overflow occurs resulting in a potential device crash (DoS) or providing the attacker with the ability to control the execution flow to achieve RCE.

Thousands of potentially affected devices are publicly accessible

The official statement is that the Nucleus RTOS is used by over 3 billion devices. However, exact counts are hard to determine for TCP/IP stacks, as we’ve seen in the past. Forescout attempted to identify systems advertising banners that indicate the use of Nucleus FTP server or Nucleus RTOS with Shodan as shown in the image below.

Source: Forescout NUCLEUS:13 Report

Proof of concept

At the present time, no direct proof-of-concept (PoC) code exists for these vulnerabilities. However, the technical details in the report provide sufficient details for testing and exploiting some of the vulnerabilities, including CVE-2021-31886. In addition, Forescout has published a video demonstrating the impact of successful exploitation.

Due to the various implementations of the RTOS, it’s possible that not all attacks will have the same impact on the various devices running affected versions of Nucleus. Any PoC code or exploit scripts are likely to be context dependent.

Solution

At this time, Siemens, who owns Nucleus, has released patches for all of these vulnerabilities. Although the patches have been released, device manufacturers and vendors who have implemented the TCP/IP stack or RTOS will need to release updates for affected products. This could mean major delays in updating and securing these devices. Siemens Security Advisory SSA-044112 contains additional patching and remediation information. Additionally, Forescout offers some mitigation recommendations in its report.

Identifying affected systems

Tenable offers two plugins to help identify devices or applications running Nucleus RTOS or utilizing Nucleus NET. Plugin ID 149645 can be used to detect the FTP server used with the Nucleus NET TCP/IP stack. Plugin 62795 can be used to identify Nucleus Plus, the Nucleus RTOS.

Additional research is ongoing and a list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.