Enterprise device security firm Forescout recently warned that 13 vulnerabilities discovered in the Nucleus TCP/IP stack could be exploited to remotely execute code, cause a denial of service, or obtain sensitive information. NUCLEUS:13 is the name of 13 vulnerabilities discovered by researchers in the Siemens-owned Nucleus TCP/IP stack. Many of the vulnerabilities in this batch have been assigned critical and high severity ratings. Nucleus is a preemptive multitasking operating system kernel designed for real-time embedded applications. 95% of its code is written in ANSIC, which is very portable and can support most types of processors. Nucleus is widely used in healthcare and other organizations that rely on operational technology (OT). Siemens has released a security bulletin for corresponding vulnerability fixes and mitigations on November 9, the routine patch day on Tuesday.
Collectively known as NUCLEUS:13, these issues may affect safety-critical equipment such as anesthesia machines, patient monitors and other types of healthcare equipment. Other types of operational technology (OT) systems are also affected. As new vulnerabilities are discovered, Forescout Research Labs and Medigate work with Siemens, CISA, CERT/CC and others to confirm the discovery and notify the vendor.
Three of the newly discovered vulnerabilities were critical and achieved CVSS scores of 9.9 and 10. This is a stack-based buffer overflow because the FTP server cannot properly validate the length of the “USER” command. An attacker could exploit the vulnerability to cause a denial of service (DoS) condition or achieve remote code execution.
Two other similar issues in the FTP server (related to incorrect validation of the length of “PWD/XPWD” and “MKD/XMKD” commands) have a high severity rating.
Of the remaining vulnerabilities, nine are considered high severity and could be exploited to leak sensitive information or cause DoS conditions. The last of the batch of vulnerabilities is a medium-severity bug in ICMP that can be exploited to send ICMP echo reply messages to arbitrary network systems.
Forescout explained that some of these vulnerabilities were addressed in existing versions of the Nucleus TCP/IP stack, but CVE identifiers were never issued. Patches are available for all 13 security holes.
Developed by Accelerated Technology, Inc. (ATI) in 1993, Nucleus NET is the TCP/IP stack in the Nucleus Real Time Operating System (RTOS), now owned by Siemens. During its 28-year life cycle, Nucleus has been deployed in devices across multiple verticals. Nucleus main application areas include: Networking, Routing, Bridging, Hubs, Datacom, Top Box, Digital Camera, ISDN, Modulator, Digital Plotter, GSM, Cell Phone, PDA, Printer, GPS, Wireless Communication, Automotive, Medical Instruments, RAID, Adapter Cards, Smart Cards, Security, Industrial Control, Scanners, Gas Analyzers, Game Consoles, Multimedia, Handheld Products, Consumer Products, Local Area Networks, Wide Area Networks, Navigation Equipment, Satellite Communications, ATMs, Video Products, barcode machines, process control, and more.
The official Nucleus website claims that RTOSs are deployed on more than 3 billion devices, but Forescout believes that most of them are actually components such as chipsets and baseband processors. The researchers said they could only find thousands of potentially vulnerable devices connected to the internet, with the healthcare sector appearing to be the most affected.
Typical users of Nucleus at home and abroad are shown in the following figure (from reference 4):
Siemens issued an advisory on the 9th describing the impact of the vulnerabilities on its own products.
Forescout Research Labs and Medigate exploited a remote code execution vulnerability in their labs and demonstrated the potential impact of a successful attack capable of disrupting healthcare and other critical processes.
General recommended mitigations for NUCLEUS:13 include limiting network exposure of critical vulnerable devices through network segmentation and patching of devices. Organizations are advised to identify all devices running Nucleus in their environment and apply available patches or mitigations as soon as possible, and ensure proper network segmentation is implemented. Also monitor network traffic to identify any malicious packets and disable FTP/TFTP if not needed, or use switch-based DHCP control mechanisms.
The Links: EL32024036-HB PF1000A-360