Multiple Vulnerabilities (NAME:WRECK) in the DNS Module of Nucleus RTOS
Monitor6.5SSA-705111Apr 13, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The DNS client in Nucleus RTOS (Nucleus NET, Nucleus ReadyStart V3 and V4) contains nine vulnerabilities known as "NAME:WRECK" related to improper handling of DNS requests and responses. These include buffer overflows and improper bounds checking (CWE-125, CWE-788), insufficient input validation (CWE-170), and weak random number generation (CWE-330). An attacker can craft malicious DNS responses to cause a denial-of-service condition or read sensitive data from memory. The vulnerabilities affect the DNS client module which processes DNS queries on the device.
What this means
What could happen
An attacker on the network could craft malicious DNS responses to cause a denial-of-service condition on devices running Nucleus RTOS, disrupting communication with the controller or causing the device to stop processing operations. In some cases, the attacker could also read sensitive data from memory on the affected system.
Who's at risk
This affects any organization using Siemens Nucleus RTOS-based devices, including embedded systems in industrial controllers, communication modules, and real-time operating system deployments in manufacturing, power generation, water treatment, and other critical infrastructure applications. Specifically impacts Nucleus ReadyStart products and devices using Nucleus NET network stack.
How it could be exploited
An attacker with network access to the device sends a specially crafted DNS response packet. The Nucleus DNS client processes the malformed response without proper validation, either crashing the device or allowing the attacker to read data from memory. This requires the device to be making DNS requests or have a DNS resolver active.
Prerequisites
- Network access to the device on the port used for DNS communication (typically UDP port 53)
- Device must be actively performing DNS queries or have DNS services enabled
- No authentication required
remotely exploitableno authentication requiredlow complexityaffects availabilityaffects confidentialitymultiple vulnerabilities in one module
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (5)
3 with fix2 EOL
ProductAffected VersionsFix Status
Nucleus ReadyStart V3< V2017.02.32017.02.3
Nucleus ReadyStart V3< V2017.02.42017.02.4
Nucleus ReadyStart V4< V4.1.04.1.0
Nucleus NETAll versionsNo fix (EOL)
Nucleus Source CodeVersions including affected DNS modulesNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2Nucleus NET
WORKAROUNDFor Nucleus NET and Nucleus Source Code products, contact Siemens customer support for patch and mitigation guidance
All products
HARDENINGRestrict network access to DNS communication ports (UDP port 53) at the firewall to trusted DNS servers only
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
Nucleus ReadyStart V3
HOTFIXUpdate Nucleus ReadyStart V3 to version 2017.02.3 or later
HOTFIXUpdate Nucleus ReadyStart V3 to version 2017.02.4 or later
Nucleus ReadyStart V4
HOTFIXUpdate Nucleus ReadyStart V4 to version 4.1.0 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Nucleus NET, Nucleus Source Code. Apply the following compensating controls:
HARDENINGSegment devices running Nucleus RTOS onto isolated networks away from untrusted network segments
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b4af1e23-fadb-4849-b7e5-27aaf06f2220