Out of Bounds Write Vulnerabilities (NAME:WRECK) in the DNS Module of Nucleus RTOS

Plan Patch8.1SSA-185699Apr 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The DNS client in Nucleus NET contains two out of bounds write vulnerabilities in DNS response handling (CWE-787, CWE-823). An attacker can exploit these vulnerabilities to cause denial of service or remote code execution.

What this means

What could happen

An attacker could crash a device running Nucleus RTOS or execute arbitrary code on it by sending malicious DNS responses, potentially disrupting or taking control of industrial equipment that depends on this operating system.

Who's at risk

Operators of industrial equipment and IoT devices running Siemens Nucleus RTOS, particularly embedded systems in manufacturing, utility control systems, and remote monitoring equipment that rely on DNS for network communication.

How it could be exploited

An attacker on the same network or positioned to intercept DNS traffic would send a specially crafted DNS response to a device running Nucleus NET. The DNS client would process the response without proper bounds checking, allowing the attacker to write data outside allocated memory and either crash the device (denial of service) or execute code with device privileges.

Prerequisites

Network access to DNS traffic or ability to respond to DNS queries from the affected device
Device running Nucleus RTOS with Nucleus NET DNS client enabled
Device must issue a DNS query to trigger the vulnerability

remotely exploitableno authentication requiredno patch available for Nucleus NET v5.2 and belowaffects embedded systems and control devices

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (2)

1 pending1 EOL

ProductAffected VersionsFix Status

Nucleus Source CodeVersions including affected DNS modulesNo fix yet

Nucleus NET< V5.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to restrict DNS traffic to authorized DNS servers only; block or filter unexpected DNS responses

HARDENINGDeploy DNS query monitoring and anomaly detection to identify suspicious or malformed DNS responses before they reach affected devices

HARDENINGRestrict outbound DNS queries from Nucleus RTOS devices to known-good, controlled DNS resolvers on your network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Siemens customer support for patch and update availability for your specific Nucleus RTOS products and versions

CVEs (2)

CVE-2020-15795 CVE-2020-27009

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2ef2f4f7-5e35-4c99-a656-caa858f16aaa