Multiple Vulnerabilities (NUCLEUS:13) in Capital Embedded AR Classic

Plan Patch8.2SSA-620288Dec 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities (NUCLEUS:13) have been identified in the Nucleus RTOS used by Capital Embedded AR Classic. These vulnerabilities include type confusion, improper bounds checking, integer overflow, and other memory safety issues (CWE-843, CWE-1284, CWE-125, CWE-119, CWE-191, CWE-240) that could allow remote code execution or denial of service.

What this means

What could happen

An attacker with network access could exploit these memory safety vulnerabilities to crash the embedded controller or execute arbitrary code, disrupting process control and automation in your industrial system. For 431-422 models with no patch available, the device remains permanently vulnerable.

Who's at risk

Water authorities, municipal electric utilities, and other critical infrastructure operators using Siemens Capital Embedded AR Classic controllers for process automation, SCADA applications, and distributed control systems are affected. This includes any facility relying on these embedded controllers for real-time process monitoring and automation (431-422 and R20-11 model lines).

How it could be exploited

An attacker on the network sends malformed input or network packets to Capital Embedded AR Classic, triggering a memory safety flaw in the Nucleus RTOS. The vulnerability could allow buffer overflow, integer overflow, or type confusion leading to code execution or denial of service without requiring authentication or user interaction.

Prerequisites

Network access to Capital Embedded AR Classic on port 502 (Modbus) or other industrial protocols
No credentials required
Device must be reachable from the network

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for 431-422 model lineHigh CVSS score (8.2)Affects embedded control systems

Exploitability

Moderate exploit probability (EPSS 2.5%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Capital Embedded AR Classic R20-11< V23032303

Capital Embedded AR Classic 431-422All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGFor 431-422 model line with no available patch: implement network segmentation to restrict access to Capital Embedded AR Classic to only authorized engineering and HMI networks. Use firewalls or managed switches to prevent untrusted traffic from reaching the device.

WORKAROUNDContact Siemens technical support for detailed countermeasures and guidance specific to your 431-422 deployments while awaiting future patch releases

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Capital Embedded AR Classic R20-11

HOTFIXUpdate Capital Embedded AR Classic R20-11 to firmware version 2303 or later

Mitigations - no patch available

0/1

Capital Embedded AR Classic 431-422 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor Capital Embedded AR Classic systems for suspicious network activity and unexpected process control changes, as no patch is available for 431-422 models

CVEs (8)

CVE-2021-31344 CVE-2021-31345 CVE-2021-31346 CVE-2021-31881 CVE-2021-31882 CVE-2021-31883 CVE-2021-31889 CVE-2021-31890

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/828c0c69-3891-4291-8d9f-a4fe72f65391