Multiple Vulnerabilities (NUCLEUS:13) in the TCP/IP Stack of Nucleus RTOS

Act Now9.8SSA-044112Nov 9, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in the TCP/IP stack and related services (FTP, TFTP) of Nucleus NET, the networking component in Nucleus Real-Time Operating System (RTOS). The vulnerabilities involve memory corruption, integer overflow, buffer overflows, and type confusion in the network protocol handlers. Affects Nucleus NET (all versions), Nucleus ReadyStart V3 (< V2017.02.4), Nucleus ReadyStart V4 (< V4.1.1), and Nucleus Source Code (all versions).

What this means

What could happen

An attacker with network access to a device running Nucleus RTOS could send specially crafted network packets to execute arbitrary code, completely compromising the device and any processes it controls. This could lead to unauthorized control of industrial equipment, process interruption, or safety hazards.

Who's at risk

Any organization using Nucleus RTOS for embedded controllers in industrial automation, power systems, water treatment, manufacturing, or other critical infrastructure. Particularly affects legacy devices using Nucleus NET where no firmware update is available. ReadyStart users can patch, but NET and Source Code users cannot obtain fixes and must rely on network isolation.

How it could be exploited

An attacker on the network sends malformed TCP/IP packets (via FTP, TFTP, or raw TCP/IP) to the Nucleus NET stack. The stack fails to properly validate packet structure, triggering memory corruption or buffer overflow conditions. The attacker achieves code execution and gains full control of the RTOS kernel and running applications.

Prerequisites

Network access to the device running Nucleus RTOS (no authentication required)
Device must be directly reachable via TCP/IP
No special privileges or credentials needed

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS (9.8 critical)Multiple vulnerability types (memory corruption, integer overflow, buffer overflow)No patch available for Nucleus NET or Source CodeAffects real-time operating system core

Exploitability

Moderate exploit probability (EPSS 3.4%)

Affected products (4)

2 with fix2 EOL

ProductAffected VersionsFix Status

Nucleus ReadyStart V3< V2017.02.42017.02.4

Nucleus ReadyStart V4< V4.1.14.1.1

Nucleus NETAll versionsNo fix (EOL)

Nucleus Source CodeAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

Nucleus NET

HARDENINGFor Nucleus NET and Nucleus Source Code (no patch available): Isolate affected devices from untrusted networks using network segmentation or air-gapping

All products

WORKAROUNDImplement strict firewall rules to block inbound TCP/IP traffic to Nucleus RTOS devices except from trusted engineering networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Nucleus ReadyStart V3

HOTFIXUpdate Nucleus ReadyStart V3 to version 2017.02.4 or later

Nucleus ReadyStart V4

HOTFIXUpdate Nucleus ReadyStart V4 to version 4.1.1 or later

Long-term hardening

0/1

Nucleus NET

HOTFIXContact Siemens customer support regarding patch availability for Nucleus NET and Source Code versions

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Nucleus NET, Nucleus Source Code. Apply the following compensating controls:

HARDENINGDisable FTP and TFTP services if not required for device operation

CVEs (13)

CVE-2021-31344 CVE-2021-31345 CVE-2021-31346 CVE-2021-31881 CVE-2021-31882 CVE-2021-31883 CVE-2021-31884 CVE-2021-31885 CVE-2021-31886 CVE-2021-31887 CVE-2021-31888 CVE-2021-31889 CVE-2021-31890

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/21bc02ff-0692-4643-8198-413c303c83ef