OTPulse

Siemens Nucleus RTOS FTP Server

Plan PatchCVSS 7.5ICS-CERT ICSA-22-286-07Oct 11, 2022
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The FTP server component in Siemens Nucleus Real-Time Operating System (RTOS) does not properly release memory resources allocated during incomplete FTP client connection attempts. This memory leak allows a remote attacker to exhaust device memory and cause a denial of service condition by sending malformed or incomplete FTP connections. Affected products include Nucleus ReadyStart V3 (V2012 and V2017), Nucleus Source Code, and Nucleus NET for Nucleus PLUS (V1 and V2). Siemens has released a patch for Nucleus ReadyStart V3 V2017 but has not released patches for V2012 or Nucleus NET, which are end-of-life products.

What this means
What could happen
An attacker can send incomplete FTP connection requests to crash or hang devices running the vulnerable Nucleus RTOS FTP server, causing a denial of service that disrupts any control system or automation platform relying on that device for communication or operations.
Who's at risk
Water authorities, electric utilities, and industrial manufacturers using Siemens Nucleus RTOS-based devices and platforms should assess whether they run the FTP networking component. This impacts embedded controllers, PLCs, and real-time automation systems that depend on Nucleus for communication and process control. Organizations with legacy Nucleus ReadyStart V2012 systems or any Nucleus NET deployments face unpatched risk.
How it could be exploited
An attacker with network access to the FTP service port sends malformed or incomplete FTP connection requests that cause the server to leak memory resources. After multiple requests, available memory is exhausted and the device becomes unresponsive or restarts.
Prerequisites
  • Network access to the FTP server port (default port 21)
  • FTP server enabled on the Nucleus RTOS device
  • No authentication required to trigger the vulnerability
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for most affected productsAffects real-time operating systems and control platforms
Exploitability
Unlikely to be exploited — EPSS score 0.8%
Affected products (5)
1 with fix1 pending3 EOL
ProductAffected VersionsFix Status
Nucleus Source CodeAll versions including affected FTP serverNo fix yet
Nucleus NET for Nucleus PLUS V1<V5.2aNo fix (EOL)
Nucleus NET for Nucleus PLUS V2<V5.4No fix (EOL)
Nucleus ReadyStart V3 V2012<V2012.08.1No fix (EOL)
Nucleus ReadyStart V3 V2017<V2017.02.4V2017.02.4 with patch 2017.02.4_patch_CVE-2022-38371
Remediation & Mitigation
0/6
Do now
0/2
Nucleus ReadyStart V3 V2012
WORKAROUNDFor Nucleus ReadyStart V3 V2012 and Nucleus NET where no patches are available, set TCP_MAX_KEEPALIVES configuration parameter to 3
WORKAROUNDFor Nucleus ReadyStart V3 V2012 and Nucleus NET where no patches are available, set TCP_KEEPALIVE_INTERVAL and TCP_KEEPALIVE_DELAY to 3 seconds
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

Nucleus ReadyStart V3 V2017
HOTFIXUpdate Nucleus ReadyStart V3 V2017 to version 2017.02.4 and apply the patch 2017.02.4_patch_CVE-2022-38371
Nucleus Source Code
HOTFIXContact Siemens for update information on Nucleus Source Code affected versions
All products
HOTFIXRebuild and redeploy applications with the configuration changes
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Nucleus NET for Nucleus PLUS V1, Nucleus NET for Nucleus PLUS V2, Nucleus ReadyStart V3 V2012. Apply the following compensating controls:
HARDENINGImplement network segmentation and firewall rules to restrict FTP port access to only trusted administrative workstations
View full CISA ICS-CERT advisory
API: /api/v1/advisories/45e66013-2358-4c52-9abd-4ce1cde4119d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.