OTPulse
FeedAboutContact

Predictable Initial Sequence Numbers in the TCP/IP Stack of Nucleus RTOS

Monitor6.5SSA-362164Feb 9, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Nucleus NET networking component in Nucleus Real-Time Operating System uses predictable initial sequence numbers for TCP sessions. This allows an attacker with network access to potentially hijack TCP sessions, forge packets, or inject malicious data into networked devices. Affected products include Nucleus NET (all versions < V5.2), Nucleus ReadyStart V3 (versions < V2012.12), and Nucleus Source Code (all versions). Siemens has released a fix for Nucleus ReadyStart V3 (version 2012.12 and later) but has not provided patches for Nucleus NET or the source code.

What this means
What could happen
An attacker with network access could predict TCP sequence numbers and hijack network sessions or forge TCP packets to disrupt communications or inject malicious data into networked devices running older versions of Nucleus RTOS, potentially affecting PLCs, RTUs, and embedded control systems.
Who's at risk
Water utilities and electric utilities running embedded control systems, PLCs, RTUs, or other industrial devices that use Nucleus RTOS for networking should assess their equipment inventories. Siemens automation controllers, I/O modules, and legacy embedded systems with Nucleus NET are at risk.
How it could be exploited
An attacker on the network observes TCP traffic to a device running vulnerable Nucleus RTOS. Because the initial sequence numbers are predictable, the attacker can calculate the next sequence number, craft a forged TCP packet with the correct sequence number, and inject it into the session to hijack the connection or send commands to the device.
Prerequisites
  • Network access to the device running Nucleus RTOS
  • Ability to observe or predict TCP session traffic to the target device
  • Device must be running a vulnerable version of Nucleus NET (< V5.2) or Nucleus ReadyStart (< V2012.12)
Remotely exploitableNo authentication requiredLow complexityNo patch available for Nucleus NET and Nucleus Source CodeAffects legacy industrial equipment
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (3)
1 with fix2 EOL
ProductAffected VersionsFix Status
Nucleus ReadyStart V3< V2012.122012.12
Nucleus NET< V5.2No fix (EOL)
Nucleus Source CodeAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
Nucleus NET
HARDENINGIsolate or air-gap devices running Nucleus NET without available patches from untrusted networks
All products
HARDENINGImplement network segmentation and firewall rules to restrict network access to devices running vulnerable Nucleus RTOS versions
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Nucleus NET
HOTFIXContact Siemens customer support for patch and update options for Nucleus NET V5.2 and other affected products
All products
HOTFIXUpdate Nucleus ReadyStart to version 2012.12 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/12315c7c-410d-423a-b126-e211a323c20d
Predictable Initial Sequence Numbers in the TCP/IP Stack of Nucleus RTOS | CVSS 6.5 - OTPulse