OTPulse

Siemens Nucleus Products IPv6 Stack

Plan PatchCVSS 7.5ICS-CERT ICSA-21-103-05Apr 13, 2021
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The IPv6 stack in Siemens Nucleus Real-Time Operating System (RTOS) networking component contains two vulnerabilities in IPv6 header processing. When an attacker sends specially crafted IPv6 packets, the stack fails to validate the headers correctly, triggering an infinite loop or uncontrolled resource consumption. This causes the affected device's networking to become unresponsive, resulting in a denial of service. The vulnerability affects Capital Embedded AR Classic, Nucleus NET, and Nucleus ReadyStart products used in industrial controllers and embedded systems across multiple critical infrastructure sectors.

What this means
What could happen
An attacker on the network can send specially crafted IPv6 packets to devices running affected Nucleus RTOS versions, causing them to stop responding and disrupting operations until the device is rebooted.
Who's at risk
Equipment manufacturers and system integrators using Siemens Nucleus RTOS in embedded industrial controllers, programmable logic controllers (PLCs), remote terminal units (RTUs), and networking devices. Particular concern for water treatment systems, power distribution equipment, and other critical infrastructure devices that rely on Nucleus-based controllers for real-time process management.
How it could be exploited
An attacker with network access to a device running an affected Nucleus product sends malformed IPv6 header packets. The IPv6 stack processes these headers incorrectly, triggering an infinite loop or resource exhaustion condition that crashes the networking component and stops the device from communicating.
Prerequisites
  • Network access to the device or network segment where the affected device resides
  • Device must be running an affected version of Nucleus RTOS with IPv6 stack enabled
  • No credentials or authentication required
Remotely exploitable over networkNo authentication requiredLow complexity attackAffects availability (denial of service)Some products have no fix availableActively monitored by CISA (KEV tracking)
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (6)
3 with fix3 EOL
ProductAffected VersionsFix Status
Capital Embedded AR Classic R20-11< V23032303
Nucleus ReadyStart V3< V2017.02.42017.02.4
Nucleus ReadyStart V4< V4.1.04.1.0
Capital Embedded AR Classic 431-422All versionsNo fix (EOL)
Nucleus NETAll versionsNo fix (EOL)
Nucleus Source CodeAll versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/3
Capital Embedded AR Classic 431-422
WORKAROUNDFor Capital Embedded AR Classic 431-422 (no fix available) and Nucleus NET (no fix available), contact Siemens customer support or the Nucleus Sales team for mitigation and patching guidance
All products
HARDENINGRestrict network access to devices running Nucleus RTOS using firewall rules to block unnecessary inbound traffic
WORKAROUNDIf IPv6 is not required for operations, consider disabling the IPv6 stack on affected devices
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

Capital Embedded AR Classic R20-11
HOTFIXUpdate Capital Embedded AR Classic R20-11 to firmware version 2303 or later
Nucleus ReadyStart V3
HOTFIXUpdate Nucleus ReadyStart v3 to version 2017.02.4 or later
Nucleus ReadyStart V4
HOTFIXUpdate Nucleus ReadyStart v4 to version 4.1.0 or later
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Capital Embedded AR Classic 431-422, Nucleus NET, Nucleus Source Code. Apply the following compensating controls:
HARDENINGPlace control system networks behind firewalls and isolate from corporate IT networks to reduce exposure
View full CISA ICS-CERT advisory
API: /api/v1/advisories/443d88f5-2446-4d32-b789-826d1c2a6ccf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens Nucleus Products IPv6 Stack | CVSS 7.5 - OTPulse