Siemens Nucleus Products DNS Module (Update A)

Plan Patch8.1ICS-CERT ICSA-21-103-04Apr 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Two out-of-bounds write vulnerabilities (CWE-787, CWE-823) exist in the DNS client of Nucleus NET (versions before 5.2) and Nucleus Source Code, part of the "NAME:WRECK" vulnerability set affecting multiple DNS implementations. A malicious DNS response could trigger a denial-of-service condition or remote code execution on affected devices. Nucleus NET v5.2 is not vulnerable but is already end-of-support. Nucleus Source Code and Capital VSTAR require vendor contact for patch information.

What this means

What could happen

An attacker on your network could exploit DNS response handling flaws to crash devices running Nucleus NET or execute code remotely on them, disrupting industrial processes that depend on network communication.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Siemens Nucleus-based real-time operating systems in industrial controllers, particularly those that employ Nucleus NET networking components or custom products built on Nucleus source code (such as Capital VSTAR). Affects devices that handle DNS queries for name resolution.

How it could be exploited

An attacker with network access to a device running vulnerable Nucleus NET would craft a malicious DNS response containing an oversized packet. When the device processes the response, the out-of-bounds write could overwrite memory, either crashing the device (denial of service) or allowing the attacker to inject and execute code on the device.

Prerequisites

Network access to a device running Nucleus NET with DNS client enabled
No authentication required
Device must be configured to use DNS (not a typical OT default, but possible in networked industrial environments)

remotely exploitableno authentication requiredlow complexityaffects networked industrial systemsno patch available for Nucleus NET versions below 5.2 (v5.2 itself is end-of-support)

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Nucleus Source Codeincluding affected DNS modulesNo fix yet

Nucleus NET<V5.2ReadyStart v3 or v4 (latest)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable DNS client functionality if not required for operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Nucleus NET

HOTFIXUpdate Nucleus NET to ReadyStart v3 or v4 (latest version available)

Nucleus Source Code

HOTFIXContact Siemens customer support for patch availability for Nucleus Source Code and Capital VSTAR products

Long-term hardening

0/2

HARDENINGRestrict network access to affected devices using firewall rules; ensure industrial control system networks are not directly accessible from the Internet or business networks

HARDENINGImplement network segmentation to isolate critical devices running Nucleus-based systems from general network traffic

CVEs (2)

CVE-2020-15795 CVE-2020-27009

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3eefb292-b557-41da-872b-169d001f61fb