OTPulse
FeedAboutContact

Predictable UDP Port Number Vulnerability (NAME:WRECK) in the DNS Module of Nucleus RTOS

Monitor5.3SSA-201384Apr 13, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The DNS client in Nucleus NET (Nucleus Real-Time Operating System networking component) contains a vulnerability related to predictable UDP port number handling in DNS requests. This allows an attacker to poison the DNS cache or spoof DNS resolution. The vulnerability is part of the "NAME:WRECK" set of DNS implementation flaws.

What this means
What could happen
An attacker could poison the DNS cache on devices running vulnerable Nucleus RTOS, causing them to resolve control system commands, SCADA traffic, or operator instructions to attacker-controlled addresses, disrupting normal operations or enabling command injection.
Who's at risk
Any facility using Siemens Nucleus RTOS-based embedded devices (controllers, RTUs, communicators) that rely on DNS for hostname resolution of remote servers, especially those resolving addresses for SCADA networks, historian connections, or remote engineering workstation communication. Affects industrial automation, power systems, water treatment, and manufacturing equipment.
How it could be exploited
An attacker with network access to the same network segment sends DNS responses with crafted UDP port numbers to devices running vulnerable Nucleus RTOS DNS clients. Because the port is predictable, the attacker's response can be received and cached before the legitimate DNS server's response, poisoning resolution for critical infrastructure hostnames or addresses.
Prerequisites
  • Network access to the same network segment as the affected device
  • The device uses Nucleus RTOS with the vulnerable DNS module
  • DNS client must be actively performing name resolution queries
remotely exploitableno authentication requiredlow complexityaffects DNS resolution across OT networksno patch available for Nucleus NET and Nucleus Source Code versions
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
1 with fix2 EOL
ProductAffected VersionsFix Status
Nucleus ReadyStart V3< V2013.082013.08
Nucleus Source CodeVersions including affected DNS modulesNo fix (EOL)
Nucleus NETAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Nucleus Source Code
HOTFIXContact Siemens customer support for patch information and updates for Nucleus NET and Nucleus Source Code
All products
HOTFIXUpdate Nucleus ReadyStart to version 2013.08 or later
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Nucleus Source Code, Nucleus NET. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict DNS traffic to authorized servers only and use DNS firewalling rules to block spoofed responses
HARDENINGMonitor DNS queries and responses for anomalies that may indicate cache poisoning attempts
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7f77165b-616f-490d-9947-47e97ca1dca1
Predictable UDP Port Number Vulnerability (NAME:WRECK) in the DNS Module of Nucleus RTOS | CVSS 5.3 - OTPulse