OTPulse

Siemens Nucleus RTOS TCP/IP Stack

Plan PatchCVSS 9.8ICS-CERT ICSA-21-313-03Nov 9, 2021
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The TCP/IP stack and related services (FTP, TFTP) in Siemens Nucleus Real-Time Operating System (RTOS) contain multiple vulnerabilities known as "NUCLEUS:13." These flaws include buffer overflows (CWE-119, CWE-125), type confusion (CWE-843), integer underflow (CWE-191), and other memory-safety issues affecting the networking component (Nucleus NET). The vulnerabilities allow remote code execution without authentication. Affected products: Nucleus NET (all versions—no fix available), Nucleus ReadyStart V3 (versions before 2017.02.4), Nucleus ReadyStart V4 (versions before 4.1.1), and Nucleus Source Code (all versions—no fix available).

What this means
What could happen
An attacker with network access to devices running vulnerable Nucleus RTOS versions could execute arbitrary code remotely without authentication, potentially allowing them to alter PLC logic, modify process parameters, disable safety functions, or shut down critical industrial processes.
Who's at risk
Operators of water treatment plants, power distribution systems, and other critical infrastructure using Siemens industrial controllers and PLCs based on Nucleus RTOS (especially Nucleus NET, ReadyStart v3, or ReadyStart v4) are affected. Any facility running automation equipment with these components is at risk if the device is reachable from an untrusted network.
How it could be exploited
An attacker sends specially crafted network packets to the TCP/IP stack on a device running vulnerable Nucleus NET, ReadyStart v3 (<2017.02.4), or ReadyStart v4 (<4.1.1). The vulnerabilities in the network stack (buffer overflows, type confusion, integer underflow) allow the attacker to bypass bounds checking and execute arbitrary code with the privileges of the RTOS process.
Prerequisites
  • Network connectivity to the device running Nucleus RTOS on any port handled by the TCP/IP stack
  • No authentication required
  • Device must be running a vulnerable version: Nucleus NET (all versions), Nucleus ReadyStart v3 before 2017.02.4, or Nucleus ReadyStart v4 before 4.1.1
Remotely exploitable without authenticationLow attack complexity (no user interaction required)Critical CVSS score (9.8)Affects all versions of Nucleus NETTwo affected product lines lack fixes available from vendor
Exploitability
Some exploitation risk — EPSS score 3.4%
Affected products (4)
2 with fix2 EOL
ProductAffected VersionsFix Status
Nucleus ReadyStart V3<V2017.02.42017.02.4
Nucleus ReadyStart V4<V4.1.14.1.1
Nucleus NETAll versionsNo fix (EOL)
Nucleus Source CodeAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1
WORKAROUNDRestrict network access to devices running Nucleus RTOS using firewall rules to limit exposure to trusted networks only
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

Nucleus ReadyStart V3
HOTFIXUpdate Nucleus ReadyStart v3 to version 2017.02.4 or later
Nucleus ReadyStart V4
HOTFIXUpdate Nucleus ReadyStart v4 to version 4.1.1 or later
Nucleus NET
HOTFIXFor Nucleus NET (all versions) and Nucleus Source Code (all versions), contact Siemens Customer Support for patch and mitigation advice
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Nucleus NET, Nucleus Source Code. Apply the following compensating controls:
HARDENINGIsolate devices running Nucleus RTOS from the business network and the Internet using network segmentation
HARDENINGRequire VPN or other secure tunneling for any necessary remote access to devices running Nucleus RTOS
View full CISA ICS-CERT advisory
API: /api/v1/advisories/ce4fe292-8b23-417e-ab41-0d6b8d83e5b1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.