Denial of Service Vulnerabilities in the IPv6 Stack of Nucleus RTOS

Plan Patch7.5SSA-248289Apr 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The IPv6 stack in Nucleus NET (part of Nucleus Real-Time Operating System) contains two vulnerabilities in IPv6 header processing that can trigger denial of service conditions. An attacker sending malformed IPv6 packets can cause the embedded device to stop responding, requiring manual restart. Affected products include Capital Embedded AR Classic series and Nucleus ReadyStart V3/V4 systems.

What this means

What could happen

A remote attacker can send specially crafted IPv6 packets to an embedded device running Nucleus RTOS, causing the device to become unresponsive and requiring a manual restart. This directly impacts availability of any process controlled by the affected device.

Who's at risk

Water authorities and electric utilities using Siemens capital equipment or legacy systems built on Nucleus RTOS for control of pumps, substations, PLCs, and embedded network controllers. Specifically impacts Capital Embedded AR Classic devices and any Nucleus ReadyStart systems integrated into SCADA, RTU, or gateway appliances.

How it could be exploited

An attacker on the network (or with network access to the device) sends malformed IPv6 packets to any port on a device running Nucleus NET. The vulnerable IPv6 stack processes these packets incorrectly, enters an infinite loop or resource exhaustion condition (CWE-835), and stops responding to legitimate commands.

Prerequisites

Network access to the device on IPv6 (port/protocol not specified)
No authentication required
Device must be configured to accept IPv6 traffic

remotely exploitableno authentication requiredlow complexityaffects availability (denial of service)no patch available for some product lines

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (6)

3 with fix3 EOL

ProductAffected VersionsFix Status

Capital Embedded AR Classic R20-11< V23032303

Nucleus ReadyStart V3< V2017.02.42017.02.4

Nucleus ReadyStart V4< V4.1.04.1.0

Capital Embedded AR Classic 431-422All versionsNo fix (EOL)

Nucleus NETAll versionsNo fix (EOL)

Nucleus Source CodeAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

Capital Embedded AR Classic 431-422

WORKAROUNDFor Capital Embedded AR Classic 431-422 and Nucleus NET with no available fix, contact Siemens support for interim patches and evaluate network segmentation to restrict IPv6 access

All products

HARDENINGDisable IPv6 on devices where it is not operationally required

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Nucleus ReadyStart V3

HOTFIXUpdate Nucleus ReadyStart V3 to version 2017.02.4 or later

Nucleus ReadyStart V4

HOTFIXUpdate Nucleus ReadyStart V4 to version 4.1.0 or later

Capital Embedded AR Classic R20-11

HOTFIXUpdate Capital Embedded AR Classic R20-11 to version 2303 or later

CVEs (2)

CVE-2021-25663 CVE-2021-25664

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cbc38a45-14e1-42b4-8abd-2fc41848ce46