Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

NUCLEUS:13: 13 Vulnerabilities Found in Siemens Nucleus TCP/IP Stack

Thirteen new vulnerabilities have been discovered in the Nucleus TCP/IP stack used in potentially billions of devices.

Background

On November 9, Forescout Research published a report called NUCLEUS:13. The report details research they conducted into the Nucleus NET, the TCP/IP stack of the Siemens owned Nucleus real-time operating system (RTOS), where they found 13 new vulnerabilities. This research is the fifth report of PROJECT:MEMORIA. Prior reports include: INFRA:HALT, a joint project with Forescrout and JFrog Security Research detailing 14 vulnerabilities affecting the NicheStack TCP/IP stack; NAME:WRECK, which details nine vulnerabilities across four TCP/IP stacks, including six vulnerabilities in Nucleus NET; NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details 33 vulnerabilities across four TCP/IP stacks. According to the NUCLEUS:13 report and Siemens, the Nucleus RTOS is used in over 3 billion devices across a wide range of industries including automotive, healthcare and industrial applications.

Analysis

Exploitation of these vulnerabilities can result in remote code execution (RCE), information disclosure and denial-of-service (DoS). The 13 vulnerabilities include:

CVEAffected ComponentPotential ImpactCVSSv3
CVE-2021-31886FTP ServerRCE9.8
CVE-2021-31884DHCP ClientDoS, Out-of-bound reads/writes. Impact depends on how the client is implemented.8.8
CVE-2021-31887FTP ServerRCE8.8
CVE-2021-31888FTP ServerRCE8.8
CVE-2021-31346IP/ICMPInformation leak/DoS8.2
CVE-2021-31889TCP ServerDoS7.5
CVE-2021-31890TCP ServerDoS7.5
CVE-2021-31885TFTP ServerInformation Leak7.5
CVE-2021-31345UDPDoS, Information leak. Impact depends on how UDP is implemented.7.5
CVE-2021-31881DHCP ClientDoS7.1
CVE-2021-31883DHCP ClientDoS7.1
CVE-2021-31882DHCP ClientDoS6.5
CVE-2021-31344ICMPConfused Deputy5.3

FTP: Insecure by design

Four of the highest severity vulnerabilities (CVE-2021-31886, CVE-2021-31887, CVE-2021-31888, CVE-2021-31885) are the result of having a file transfer protocol (FTP) or trivial FTP (TFTP) server enabled. FTP is an insecure protocol which lacks encryption or secure authentication mechanisms. Typically found in legacy applications, FTP can open up an organization to significant risk.

Of these four, CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 can be exploited to achieve RCE. CVE-2021-31886, the most critical vulnerability, can be easily exploited by sending a crafted username via the FTP USER command. When the username exceeds the allocated buffer size, a stack-based buffer overflow occurs resulting in a potential device crash (DoS) or providing the attacker with the ability to control the execution flow to achieve RCE.

Thousands of potentially affected devices are publicly accessible

The official statement is that the Nucleus RTOS is used by over 3 billion devices. However, exact counts are hard to determine for TCP/IP stacks, as we’ve seen in the past. Forescout attempted to identify systems advertising banners that indicate the use of Nucleus FTP server or Nucleus RTOS with Shodan as shown in the image below.

Source: Forescout NUCLEUS:13 Report

Proof of concept

At the present time, no direct proof-of-concept (PoC) code exists for these vulnerabilities. However, the technical details in the report provide sufficient details for testing and exploiting some of the vulnerabilities, including CVE-2021-31886. In addition, Forescout has published a video demonstrating the impact of successful exploitation.

Due to the various implementations of the RTOS, it’s possible that not all attacks will have the same impact on the various devices running affected versions of Nucleus. Any PoC code or exploit scripts are likely to be context dependent.

Solution

At this time, Siemens, who owns Nucleus, has released patches for all of these vulnerabilities. Although the patches have been released, device manufacturers and vendors who have implemented the TCP/IP stack or RTOS will need to release updates for affected products. This could mean major delays in updating and securing these devices. Siemens Security Advisory SSA-044112 contains additional patching and remediation information. Additionally, Forescout offers some mitigation recommendations in its report.

Identifying affected systems

Tenable offers two plugins to help identify devices or applications running Nucleus RTOS or utilizing Nucleus NET. Plugin ID 149645 can be used to detect the FTP server used with the Nucleus NET TCP/IP stack. Plugin 62795 can be used to identify Nucleus Plus, the Nucleus RTOS.

Additional research is ongoing and a list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today.

NEW - Nessus Expert Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Professional Trial.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training