Input Validation Vulnerability in the DHCP Client of Nucleus RTOS

Plan Patch7.1SSA-434032Nov 12, 2019

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The DHCP client in Nucleus RTOS contains an input validation flaw that allows an attacker on the local network to send a malformed DHCP response, causing the affected device to assign itself an invalid IP address. This results in loss of network connectivity and the device becoming unreachable until reconfigured or rebooted.

What this means

What could happen

An attacker on the local network could change a device's IP address to an invalid value, causing the device to lose network connectivity or become unreachable. This could interrupt communication with remote monitoring systems, SCADA servers, or prevent the device from receiving critical control commands.

Who's at risk

This affects Siemens Nucleus RTOS-based devices and embedded systems used in industrial automation, including Capital Embedded AR controllers and any system running Nucleus NET networking stack. This matters to water authorities and utilities if they use Siemens automation controllers, remote I/O devices, or embedded systems that rely on dynamic IP configuration in their SCADA or process control networks.

How it could be exploited

An attacker on the same network segment sends a specially crafted DHCP response with invalid input data. The device's DHCP client fails to validate the input and assigns the invalid IP address, causing network connectivity loss.

Prerequisites

Network access to the local network segment where the device operates
Device must be configured to use DHCP (not static IP)
No authentication required

Remotely exploitable (via local network)No authentication requiredLow complexityAffects availability (network connectivity loss)Some products have no fix available

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (5)

2 with fix3 EOL

ProductAffected VersionsFix Status

Capital Embedded AR Classic R20-11< V23032303

Nucleus ReadyStart V3< V2017.02.32017.02.3

Capital Embedded AR Classic 431-422All versionsNo fix (EOL)

Nucleus NETAll versionsNo fix (EOL)

Nucleus Source CodeAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDConfigure devices to use static IP addresses instead of DHCP where possible to eliminate the attack vector

HARDENINGRestrict DHCP traffic at the network boundary using firewall rules to allow DHCP only from trusted servers

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Capital Embedded AR Classic R20-11

HOTFIXUpdate Capital Embedded AR Classic R20-11 to version 2303 or later

Capital Embedded AR Classic 431-422

HOTFIXFor Capital Embedded AR Classic 431-422, Nucleus NET, and Nucleus Source Code: contact Siemens customer support to obtain patch information and workarounds

All products

HOTFIXUpdate Nucleus ReadyStart to version 2017.02.3 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Capital Embedded AR Classic 431-422, Nucleus NET, Nucleus Source Code. Apply the following compensating controls:

HARDENINGSegment OT devices onto separate networks from untrusted systems and implement network monitoring to detect unexpected DHCP responses

CVEs (1)

CVE-2019-13939

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/926fcda0-a5a2-4d89-894b-96506d536693