Siemens Nucleus RTOS FTP Server

Plan Patch7.5ICS-CERT ICSA-22-286-07Oct 11, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The FTP server component in Siemens Nucleus Real-Time Operating System (RTOS) does not properly release memory resources allocated during incomplete FTP client connection attempts. This memory leak allows a remote attacker to exhaust device memory and cause a denial of service condition by sending malformed or incomplete FTP connections. Affected products include Nucleus ReadyStart V3 (V2012 and V2017), Nucleus Source Code, and Nucleus NET for Nucleus PLUS (V1 and V2). Siemens has released a patch for Nucleus ReadyStart V3 V2017 but has not released patches for V2012 or Nucleus NET, which are end-of-life products.

What this means

What could happen

An attacker can send incomplete FTP connection requests to crash or hang devices running the vulnerable Nucleus RTOS FTP server, causing a denial of service that disrupts any control system or automation platform relying on that device for communication or operations.

Who's at risk

Water authorities, electric utilities, and industrial manufacturers using Siemens Nucleus RTOS-based devices and platforms should assess whether they run the FTP networking component. This impacts embedded controllers, PLCs, and real-time automation systems that depend on Nucleus for communication and process control. Organizations with legacy Nucleus ReadyStart V2012 systems or any Nucleus NET deployments face unpatched risk.

How it could be exploited

An attacker with network access to the FTP service port sends malformed or incomplete FTP connection requests that cause the server to leak memory resources. After multiple requests, available memory is exhausted and the device becomes unresponsive or restarts.

Prerequisites

Network access to the FTP server port (default port 21)
FTP server enabled on the Nucleus RTOS device
No authentication required to trigger the vulnerability

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for most affected productsAffects real-time operating systems and control platforms

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (5)

1 with fix1 pending3 EOL

ProductAffected VersionsFix Status

Nucleus Source CodeAll versions including affected FTP serverNo fix yet

Nucleus NET for Nucleus PLUS V1<V5.2aNo fix (EOL)

Nucleus NET for Nucleus PLUS V2<V5.4No fix (EOL)

Nucleus ReadyStart V3 V2012<V2012.08.1No fix (EOL)

Nucleus ReadyStart V3 V2017<V2017.02.4V2017.02.4 with patch 2017.02.4_patch_CVE-2022-38371

Remediation & Mitigation

0/6

Do now

0/2

Nucleus ReadyStart V3 V2012

WORKAROUNDFor Nucleus ReadyStart V3 V2012 and Nucleus NET where no patches are available, set TCP_MAX_KEEPALIVES configuration parameter to 3

WORKAROUNDFor Nucleus ReadyStart V3 V2012 and Nucleus NET where no patches are available, set TCP_KEEPALIVE_INTERVAL and TCP_KEEPALIVE_DELAY to 3 seconds

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Nucleus ReadyStart V3 V2017

HOTFIXUpdate Nucleus ReadyStart V3 V2017 to version 2017.02.4 and apply the patch 2017.02.4_patch_CVE-2022-38371

Nucleus Source Code

HOTFIXContact Siemens for update information on Nucleus Source Code affected versions

All products

HOTFIXRebuild and redeploy applications with the configuration changes

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Nucleus NET for Nucleus PLUS V1, Nucleus NET for Nucleus PLUS V2, Nucleus ReadyStart V3 V2012. Apply the following compensating controls:

HARDENINGImplement network segmentation and firewall rules to restrict FTP port access to only trusted administrative workstations

CVEs (1)

CVE-2022-38371

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/45e66013-2358-4c52-9abd-4ce1cde4119d