Denial of Service Vulnerability in the FTP Server of Nucleus RTOS

Plan Patch7.5SSA-313313Oct 11, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The FTP server component (Nucleus NET) in Nucleus RTOS does not properly release memory resources during incomplete FTP client connections. A remote attacker can exploit this by sending a series of incomplete connection attempts to exhaust available memory, causing a denial of service condition. The vulnerability affects Nucleus PLUS V1 (versions before V5.2a), Nucleus PLUS V2 (versions before V5.4), and Nucleus ReadyStart V3 V2012 (before V2012.08.1) and V2017 (before V2017.02.4). Siemens has released updates for affected products; however, the Nucleus Source Code itself has no fix available.

What this means

What could happen

An attacker could flood the FTP server with incomplete connection attempts, exhausting available memory and causing the device to become unresponsive or crash, interrupting critical operations that depend on the Nucleus RTOS.

Who's at risk

Equipment manufacturers and operators using Siemens Nucleus RTOS (particularly Nucleus PLUS and Nucleus ReadyStart V3) in embedded control systems, industrial controllers, or any networked device should assess their inventory. This affects any systems where the FTP server is enabled for remote access or file transfer operations.

How it could be exploited

An attacker sends a series of incomplete FTP connection requests to port 21 from the network. The vulnerable FTP server fails to properly release memory for each dropped connection, gradually exhausting system memory until the device can no longer function.

Prerequisites

Network reachability to FTP port 21 on the affected device
Device running a vulnerable version of Nucleus RTOS with Nucleus NET FTP server enabled
No authentication required to initiate FTP connections

remotely exploitableno authentication requiredlow complexityaffects availability of critical systemsno patch available for all versions

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

Nucleus NET for Nucleus PLUS V1< V5.2aV5.2a (V1.15) with patch v2022.11

Nucleus NET for Nucleus PLUS V2< V5.4V5.4 (V2.1f) with patch v2022.11

Nucleus ReadyStart V3 V2012< V2012.08.1V2012.08.1 with patch v2022.11

Nucleus ReadyStart V3 V2017< V2017.02.4V2017.02.4 with patch 2017.02.4_patch_CVE-2022-38371

Nucleus Source CodeVersions including affected FTP serverNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDIf immediate patching is not possible, disable or restrict FTP access on affected devices by implementing network firewall rules to block inbound FTP port 21 traffic until patches can be applied

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Nucleus ReadyStart V3 V2012

HOTFIXUpdate Nucleus ReadyStart V3 V2012 to version V2012.08.1 and apply patch v2022.11

Nucleus ReadyStart V3 V2017

HOTFIXUpdate Nucleus ReadyStart V3 V2017 to version V2017.02.4 and apply patch 2017.02.4_patch_CVE-2022-38371

All products

HOTFIXUpdate Nucleus PLUS V1 to version V5.2a (available in V1.15) and apply patch v2022.11

HOTFIXUpdate Nucleus PLUS V2 to version V5.4 (available in V2.1f) and apply patch v2022.11

Mitigations - no patch available

0/1

Nucleus Source Code has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment devices running Nucleus RTOS from untrusted networks to reduce exposure to potential attackers who could launch denial of service attacks

CVEs (1)

CVE-2022-38371

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e30ae51a-f647-4af3-980b-b83add81d0ae