Multiple Vulnerabilities in Nucleus RTOS based Siemens Energy PLUSCONTROL 1st Gen Devices

Plan Patch8.2SSA-845392Jan 11, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple memory handling and input validation vulnerabilities exist in Nucleus RTOS affecting Siemens Energy PLUSCONTROL 1st Gen devices. These vulnerabilities are part of the NUCLEUS:13 issue set documented in Siemens SSA-044112. An attacker with network access can trigger denial of service (crashing the device or service) or leak information from memory without authentication. All versions of PLUSCONTROL 1st Gen are affected, and no firmware patch is planned.

What this means

What could happen

An attacker who can reach these devices over the network could trigger a denial of service or leak sensitive information from the power control system without authentication, potentially disrupting grid operations or control visibility.

Who's at risk

Power system operators, transmission system operators (TSOs), distribution system operators (DSOs), and energy utilities that use Siemens PLUSCONTROL 1st Gen devices for grid protection, automation, or control should care about this vulnerability. These devices are typically deployed in substations and control centers where they manage grid stability and fault detection.

How it could be exploited

An attacker on the network sends a crafted packet to the Nucleus RTOS service running on the PLUSCONTROL 1st Gen device. The vulnerability in memory handling or input validation allows the attacker to crash the service (denial of service) or read memory contents without needing valid credentials.

Prerequisites

Network-level reachability to the PLUSCONTROL 1st Gen device
No authentication or valid credentials required
Device must be running vulnerable version of Nucleus RTOS

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical power grid infrastructure

Exploitability

Moderate exploit probability (EPSS 2.5%)

Affected products (1)

ProductAffected VersionsFix Status

PLUSCONTROL 1st GenAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGSegment PLUSCONTROL 1st Gen devices on a separate network or VLAN with firewall rules that restrict inbound access to only authorized engineering workstations and control network segments

HARDENINGDeploy a firewall or network access control device that filters traffic to PLUSCONTROL 1st Gen; block all inbound connections from outside your operational network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGVerify that your redundant secondary protection schemes are in place and functional to maintain grid resilience in the event of a device compromise or denial of service event

HARDENINGMonitor network traffic to PLUSCONTROL 1st Gen devices for unusual access patterns; implement alerting on failed connection attempts or anomalous packet sizes

CVEs (6)

CVE-2021-31344 CVE-2021-31345 CVE-2021-31346 CVE-2021-31885 CVE-2021-31889 CVE-2021-31890

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/15a8ab88-85aa-41cc-82ec-93264bdb118b