Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

NUCLEUS:13: 13 Vulnerabilities Found in Siemens Nucleus TCP/IP Stack

Thirteen new vulnerabilities have been discovered in the Nucleus TCP/IP stack used in potentially billions of devices.

Background

On November 9, Forescout Research published a report called NUCLEUS:13. The report details research they conducted into the Nucleus NET, the TCP/IP stack of the Siemens owned Nucleus real-time operating system (RTOS), where they found 13 new vulnerabilities. This research is the fifth report of PROJECT:MEMORIA. Prior reports include: INFRA:HALT, a joint project with Forescrout and JFrog Security Research detailing 14 vulnerabilities affecting the NicheStack TCP/IP stack; NAME:WRECK, which details nine vulnerabilities across four TCP/IP stacks, including six vulnerabilities in Nucleus NET; NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details 33 vulnerabilities across four TCP/IP stacks. According to the NUCLEUS:13 report and Siemens, the Nucleus RTOS is used in over 3 billion devices across a wide range of industries including automotive, healthcare and industrial applications.

Analysis

Exploitation of these vulnerabilities can result in remote code execution (RCE), information disclosure and denial-of-service (DoS). The 13 vulnerabilities include:

CVEAffected ComponentPotential ImpactCVSSv3
CVE-2021-31886FTP ServerRCE9.8
CVE-2021-31884DHCP ClientDoS, Out-of-bound reads/writes. Impact depends on how the client is implemented.8.8
CVE-2021-31887FTP ServerRCE8.8
CVE-2021-31888FTP ServerRCE8.8
CVE-2021-31346IP/ICMPInformation leak/DoS8.2
CVE-2021-31889TCP ServerDoS7.5
CVE-2021-31890TCP ServerDoS7.5
CVE-2021-31885TFTP ServerInformation Leak7.5
CVE-2021-31345UDPDoS, Information leak. Impact depends on how UDP is implemented.7.5
CVE-2021-31881DHCP ClientDoS7.1
CVE-2021-31883DHCP ClientDoS7.1
CVE-2021-31882DHCP ClientDoS6.5
CVE-2021-31344ICMPConfused Deputy5.3

FTP: Insecure by design

Four of the highest severity vulnerabilities (CVE-2021-31886, CVE-2021-31887, CVE-2021-31888, CVE-2021-31885) are the result of having a file transfer protocol (FTP) or trivial FTP (TFTP) server enabled. FTP is an insecure protocol which lacks encryption or secure authentication mechanisms. Typically found in legacy applications, FTP can open up an organization to significant risk.

Of these four, CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 can be exploited to achieve RCE. CVE-2021-31886, the most critical vulnerability, can be easily exploited by sending a crafted username via the FTP USER command. When the username exceeds the allocated buffer size, a stack-based buffer overflow occurs resulting in a potential device crash (DoS) or providing the attacker with the ability to control the execution flow to achieve RCE.

Thousands of potentially affected devices are publicly accessible

The official statement is that the Nucleus RTOS is used by over 3 billion devices. However, exact counts are hard to determine for TCP/IP stacks, as we’ve seen in the past. Forescout attempted to identify systems advertising banners that indicate the use of Nucleus FTP server or Nucleus RTOS with Shodan as shown in the image below.

Source: Forescout NUCLEUS:13 Report

Proof of concept

At the present time, no direct proof-of-concept (PoC) code exists for these vulnerabilities. However, the technical details in the report provide sufficient details for testing and exploiting some of the vulnerabilities, including CVE-2021-31886. In addition, Forescout has published a video demonstrating the impact of successful exploitation.

Due to the various implementations of the RTOS, it’s possible that not all attacks will have the same impact on the various devices running affected versions of Nucleus. Any PoC code or exploit scripts are likely to be context dependent.

Solution

At this time, Siemens, who owns Nucleus, has released patches for all of these vulnerabilities. Although the patches have been released, device manufacturers and vendors who have implemented the TCP/IP stack or RTOS will need to release updates for affected products. This could mean major delays in updating and securing these devices. Siemens Security Advisory SSA-044112 contains additional patching and remediation information. Additionally, Forescout offers some mitigation recommendations in its report.

Identifying affected systems

Tenable offers two plugins to help identify devices or applications running Nucleus RTOS or utilizing Nucleus NET. Plugin ID 149645 can be used to detect the FTP server used with the Nucleus NET TCP/IP stack. Plugin 62795 can be used to identify Nucleus Plus, the Nucleus RTOS.

Additional research is ongoing and a list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training