NUCLEUS:13: 13 Vulnerabilities Found in Siemens Nucleus TCP/IP Stack

Thirteen new vulnerabilities have been discovered in the Nucleus TCP/IP stack used in potentially billions of devices.

Background

On November 9, Forescout Research published a report called NUCLEUS:13. The report details research they conducted into the Nucleus NET, the TCP/IP stack of the Siemens owned Nucleus real-time operating system (RTOS), where they found 13 new vulnerabilities. This research is the fifth report of PROJECT:MEMORIA. Prior reports include: INFRA:HALT, a joint project with Forescrout and JFrog Security Research detailing 14 vulnerabilities affecting the NicheStack TCP/IP stack; NAME:WRECK, which details nine vulnerabilities across four TCP/IP stacks, including six vulnerabilities in Nucleus NET; NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details 33 vulnerabilities across four TCP/IP stacks. According to the NUCLEUS:13 report and Siemens, the Nucleus RTOS is used in over 3 billion devices across a wide range of industries including automotive, healthcare and industrial applications.

Analysis

Exploitation of these vulnerabilities can result in remote code execution (RCE), information disclosure and denial-of-service (DoS). The 13 vulnerabilities include:

FTP: Insecure by design

Four of the highest severity vulnerabilities (CVE-2021-31886, CVE-2021-31887, CVE-2021-31888, CVE-2021-31885) are the result of having a file transfer protocol (FTP) or trivial FTP (TFTP) server enabled. FTP is an insecure protocol which lacks encryption or secure authentication mechanisms. Typically found in legacy applications, FTP can open up an organization to significant risk.

Of these four, CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 can be exploited to achieve RCE. CVE-2021-31886, the most critical vulnerability, can be easily exploited by sending a crafted username via the FTP USER command. When the username exceeds the allocated buffer size, a stack-based buffer overflow occurs resulting in a potential device crash (DoS) or providing the attacker with the ability to control the execution flow to achieve RCE.

Thousands of potentially affected devices are publicly accessible

The official statement is that the Nucleus RTOS is used by over 3 billion devices. However, exact counts are hard to determine for TCP/IP stacks, as we’ve seen in the past. Forescout attempted to identify systems advertising banners that indicate the use of Nucleus FTP server or Nucleus RTOS with Shodan as shown in the image below.

Source: Forescout NUCLEUS:13 Report

Proof of concept

At the present time, no direct proof-of-concept (PoC) code exists for these vulnerabilities. However, the technical details in the report provide sufficient details for testing and exploiting some of the vulnerabilities, including CVE-2021-31886. In addition, Forescout has published a video demonstrating the impact of successful exploitation.

Due to the various implementations of the RTOS, it’s possible that not all attacks will have the same impact on the various devices running affected versions of Nucleus. Any PoC code or exploit scripts are likely to be context dependent.

Solution

At this time, Siemens, who owns Nucleus, has released patches for all of these vulnerabilities. Although the patches have been released, device manufacturers and vendors who have implemented the TCP/IP stack or RTOS will need to release updates for affected products. This could mean major delays in updating and securing these devices. Siemens Security Advisory SSA-044112 contains additional patching and remediation information. Additionally, Forescout offers some mitigation recommendations in its report.

Identifying affected systems

Tenable offers two plugins to help identify devices or applications running Nucleus RTOS or utilizing Nucleus NET. Plugin ID 149645 can be used to detect the FTP server used with the Nucleus NET TCP/IP stack. Plugin 62795 can be used to identify Nucleus Plus, the Nucleus RTOS.

Additional research is ongoing and a list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• NUCLEUS:13 PDF Report
• Tenable Blog post for NAME:WRECK
• Tenable Blog Post for NUMBER:JACK
• Tenable Blog Post for AMNESIA:33

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.