Siemens Capital VSTAR

Plan Patch8.2ICS-CERT ICSA-21-350-06Dec 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Nucleus RTOS (NUCLEUS:13) affect Siemens Capital Embedded AR Classic. These include memory safety issues (CWE-125, CWE-119, CWE-191), type confusion (CWE-843), and numeric errors (CWE-240) that can be exploited remotely without authentication. Affected versions of Capital Embedded AR Classic 431-422 contain no fixes. Capital Embedded AR Classic R20-11 is vulnerable in versions prior to V2303.

What this means

What could happen

An attacker with network access to a Capital Embedded AR Classic device could remotely execute code or crash the device, potentially causing loss of availability or process disruption depending on the specific vulnerability exploited. These are memory safety flaws that could allow arbitrary code execution or denial of service.

Who's at risk

Water utilities, electric utilities, and manufacturing facilities using Siemens Capital Embedded AR Classic embedded controller units for automation and process control. This includes any facility using Capital Embedded AR Classic 431-422 (all versions) or R20-11 (pre-V2303) for critical infrastructure automation, PLC logic, or real-time process control.

How it could be exploited

An attacker on the network sends a specially crafted packet or input to the vulnerable Nucleus RTOS component in the Capital Embedded AR Classic device. Exploitation does not require authentication or user interaction. The device processes the malicious input, triggering a memory safety flaw or type confusion error, allowing code execution or a crash.

Prerequisites

Network-accessible connectivity to the Capital Embedded AR Classic device
No authentication required
Device must be running a vulnerable version of Nucleus RTOS

remotely exploitableno authentication requiredlow complexityaffects availability (denial of service)affects integrity (code execution potential)Capital Embedded AR Classic 431-422 has no fix available

Exploitability

Moderate exploit probability (EPSS 2.5%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Capital Embedded AR Classic 431-422All versionsNo fix (EOL)

Capital Embedded AR Classic R20-11<V23032303

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement network segmentation and place Capital Embedded AR Classic devices behind properly configured firewalls or gateways to restrict unauthorized network access

WORKAROUNDDisable DHCP client functionality (set TcpIpIpV4General/TcpIpDhcpClientEnabled to false in Pre-Compile configuration) if this feature is not required for operation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Capital Embedded AR Classic R20-11

HOTFIXUpdate Capital Embedded AR Classic R20-11 to version V2303 or later

Mitigations - no patch available

0/2

Capital Embedded AR Classic 431-422 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Capital Embedded AR Classic devices and control system networks from the business network and Internet

HARDENINGConfigure the environment according to Siemens operational guidelines for industrial security

CVEs (8)

CVE-2021-31344 CVE-2021-31345 CVE-2021-31346 CVE-2021-31881 CVE-2021-31882 CVE-2021-31883 CVE-2021-31889 CVE-2021-31890

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f3319266-1c93-40da-bb4b-341eed774663