Siemens Nucleus DNS (Update A)

Monitor5.3ICS-CERT ICSA-21-103-14Apr 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The DNS client in Siemens Nucleus NET and Nucleus ReadyStart contains a vulnerability (part of the "NAME:WRECK" DNS vulnerability set) related to improper handling of UDP port numbers in DNS requests. This allows an attacker on the network to poison the DNS cache or spoof DNS responses, redirecting affected devices to attacker-controlled servers. Nucleus NET (all versions) has no available fix. Nucleus ReadyStart is fixed in version 2013.08 or later. Nucleus Source Code including affected DNS modules also has no fix available.

What this means

What could happen

An attacker on the same network could intercept and modify DNS responses to direct your industrial devices to malicious servers, potentially causing operational disruption or data theft. This affects any device relying on Nucleus NET for DNS lookups, including embedded systems in PLCs, RTUs, and networked controllers.

Who's at risk

Any industrial device or embedded controller running Siemens Nucleus NET or Nucleus ReadyStart versions before 2013.08. This includes PLCs, RTUs, gateways, and other networked control devices that rely on DNS for host resolution. Organizations using Nucleus-based systems in critical infrastructure, water systems, and energy distribution are particularly affected.

How it could be exploited

An attacker with network access to the same network segment as your device sends crafted UDP packets that manipulate DNS cache entries. By spoofing DNS responses before the legitimate response arrives, the attacker redirects DNS queries to an attacker-controlled server, allowing them to intercept or redirect traffic from affected devices.

Prerequisites

Network access to the same network segment as the affected device
Ability to send UDP packets to the DNS client
No authentication required

Remotely exploitableNo authentication requiredLow exploitation complexityAffects embedded systems in industrial control devicesNo patch available for Nucleus NET (all versions)DNS spoofing enables man-in-the-middle attacks

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (3)

1 with fix1 pending1 EOL

ProductAffected VersionsFix Status

Nucleus ReadyStart V3<V2013.082013.08

Nucleus Source Codeincluding affected DNS modulesNo fix yet

Nucleus NETAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable or avoid using the DNS client function on affected versions where patching is not possible

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Nucleus ReadyStart to version 2013.08 or later

HOTFIXUpgrade to Nucleus 4 or latest available version

Mitigations - no patch available

0/2

Nucleus NET has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate affected devices from untrusted network segments

HARDENINGRestrict network access to affected devices using firewall rules to limit exposure

CVEs (1)

CVE-2021-27393

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7007bb3e-24c4-47f2-8a92-113782bb36e3