Siemens Mentor Nucleus Networking Module
Plan Patch7.1ICS-CERT ICSA-19-318-01Nov 12, 2019
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The DHCP implementation in Nucleus NET, a networking module in the Nucleus Real-Time Operating System (RTOS), contains a vulnerability that allows an attacker to change the IP address of an affected device to an invalid value. This affects multiple Siemens embedded products that use this networking stack, including Capital Embedded AR Classic, Nucleus ReadyStart, and various source code distributions. The vulnerability is not remotely exploitable and requires local network access.
What this means
What could happen
An attacker on your local network could send a malicious DHCP response to change a device's IP address to an invalid value, disrupting network communications and potentially stopping the device from reaching the control system network or receiving commands from your engineering station.
Who's at risk
Organizations using Siemens embedded devices with Nucleus RTOS networking (Nucleus NET, Nucleus ReadyStart) should review their deployed equipment. This includes water treatment and distribution systems, power distribution networks, and industrial controllers from Siemens and partners who embed Nucleus. Older Capital Embedded AR Classic 431-422 devices and newer R20-11 devices below v2303 are affected.
How it could be exploited
An attacker with access to the same local network segment as the device must intercept or respond to DHCP requests. The attacker sends a crafted DHCP response with an invalid IP address. The affected device accepts this response and reconfigures itself with the invalid IP, losing network connectivity.
Prerequisites
- Attacker must be on the same local network segment (not routable from the Internet)
- Device must have DHCP client enabled (default in many configurations)
- Device must initiate or perform a DHCP request cycle
Local network access required (AV:A, not remotely exploitable)No authentication requiredLow attack complexityNo patch available for multiple products (431-422, Nucleus NET, Source Code)Affects device availability and network connectivity
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (5)
2 with fix3 EOL
ProductAffected VersionsFix Status
Capital Embedded AR Classic R20-11< V23032303
Nucleus ReadyStart V3< V2017.02.32017.02.3
Capital Embedded AR Classic 431-422All versionsNo fix (EOL)
Nucleus NETAll versionsNo fix (EOL)
Nucleus Source CodeAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3Capital Embedded AR Classic 431-422
WORKAROUNDFor products without fixes available (Capital Embedded AR Classic 431-422, Nucleus NET, Nucleus Source Code), contact Siemens or your integrator for guidance and workaround confirmation
All products
WORKAROUNDDisable the DHCP client on affected devices and configure static IP addresses instead
HARDENINGImplement network segmentation to restrict DHCP traffic to authorized servers only; use DHCP snooping or port-based ACLs on your managed switches
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Nucleus NET
HOTFIXUpdate Nucleus ReadyStart to v2017.02.3 or later and install the 'Nucleus 2017.02.02 Nucleus NET Patch' from Mentor support center
Capital Embedded AR Classic R20-11
HOTFIXUpdate Capital Embedded AR Classic R20-11 to firmware version 2303 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Capital Embedded AR Classic 431-422, Nucleus NET, Nucleus Source Code. Apply the following compensating controls:
HARDENINGIsolate control system networks from the business network using a firewall with strict ingress/egress rules
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4279a278-83fe-4dd3-b5c7-f90cd586de9b