Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

NUCLEUS:13: 13 Vulnerabilities Found in Siemens Nucleus TCP/IP Stack

NUCLEUS:13: 13 Vulnerabilities Found in Siemens Nucleus TCP/IP Stack

Thirteen new vulnerabilities have been discovered in the Nucleus TCP/IP stack used in potentially billions of devices.

Background

On November 9, Forescout Research published a report called NUCLEUS:13. The report details research they conducted into the Nucleus NET, the TCP/IP stack of the Siemens owned Nucleus real-time operating system (RTOS), where they found 13 new vulnerabilities. This research is the fifth report of PROJECT:MEMORIA. Prior reports include: INFRA:HALT, a joint project with Forescrout and JFrog Security Research detailing 14 vulnerabilities affecting the NicheStack TCP/IP stack; NAME:WRECK, which details nine vulnerabilities across four TCP/IP stacks, including six vulnerabilities in Nucleus NET; NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details 33 vulnerabilities across four TCP/IP stacks. According to the NUCLEUS:13 report and Siemens, the Nucleus RTOS is used in over 3 billion devices across a wide range of industries including automotive, healthcare and industrial applications.

Analysis

Exploitation of these vulnerabilities can result in remote code execution (RCE), information disclosure and denial-of-service (DoS). The 13 vulnerabilities include:

CVEAffected ComponentPotential ImpactCVSSv3
CVE-2021-31886FTP ServerRCE9.8
CVE-2021-31884DHCP ClientDoS, Out-of-bound reads/writes. Impact depends on how the client is implemented.8.8
CVE-2021-31887FTP ServerRCE8.8
CVE-2021-31888FTP ServerRCE8.8
CVE-2021-31346IP/ICMPInformation leak/DoS8.2
CVE-2021-31889TCP ServerDoS7.5
CVE-2021-31890TCP ServerDoS7.5
CVE-2021-31885TFTP ServerInformation Leak7.5
CVE-2021-31345UDPDoS, Information leak. Impact depends on how UDP is implemented.7.5
CVE-2021-31881DHCP ClientDoS7.1
CVE-2021-31883DHCP ClientDoS7.1
CVE-2021-31882DHCP ClientDoS6.5
CVE-2021-31344ICMPConfused Deputy5.3

FTP: Insecure by design

Four of the highest severity vulnerabilities (CVE-2021-31886, CVE-2021-31887, CVE-2021-31888, CVE-2021-31885) are the result of having a file transfer protocol (FTP) or trivial FTP (TFTP) server enabled. FTP is an insecure protocol which lacks encryption or secure authentication mechanisms. Typically found in legacy applications, FTP can open up an organization to significant risk.

Of these four, CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 can be exploited to achieve RCE. CVE-2021-31886, the most critical vulnerability, can be easily exploited by sending a crafted username via the FTP USER command. When the username exceeds the allocated buffer size, a stack-based buffer overflow occurs resulting in a potential device crash (DoS) or providing the attacker with the ability to control the execution flow to achieve RCE.

Thousands of potentially affected devices are publicly accessible

The official statement is that the Nucleus RTOS is used by over 3 billion devices. However, exact counts are hard to determine for TCP/IP stacks, as we’ve seen in the past. Forescout attempted to identify systems advertising banners that indicate the use of Nucleus FTP server or Nucleus RTOS with Shodan as shown in the image below.

Source: Forescout NUCLEUS:13 Report

Proof of concept

At the present time, no direct proof-of-concept (PoC) code exists for these vulnerabilities. However, the technical details in the report provide sufficient details for testing and exploiting some of the vulnerabilities, including CVE-2021-31886. In addition, Forescout has published a video demonstrating the impact of successful exploitation.

Due to the various implementations of the RTOS, it’s possible that not all attacks will have the same impact on the various devices running affected versions of Nucleus. Any PoC code or exploit scripts are likely to be context dependent.

Solution

At this time, Siemens, who owns Nucleus, has released patches for all of these vulnerabilities. Although the patches have been released, device manufacturers and vendors who have implemented the TCP/IP stack or RTOS will need to release updates for affected products. This could mean major delays in updating and securing these devices. Siemens Security Advisory SSA-044112 contains additional patching and remediation information. Additionally, Forescout offers some mitigation recommendations in its report.

Identifying affected systems

Tenable offers two plugins to help identify devices or applications running Nucleus RTOS or utilizing Nucleus NET. Plugin ID 149645 can be used to detect the FTP server used with the Nucleus NET TCP/IP stack. Plugin 62795 can be used to identify Nucleus Plus, the Nucleus RTOS.

Additional research is ongoing and a list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.