Researchers found a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack, which we are collectively calling NUCLEUS:13. The new vulnerabilities allow for remote code execution, denial of service, and information leak.
Nucleus is currently owned by Siemens and it has been deployed in many industries that have safety and security requirements, such as medical devices, automotive and industrial systems.
The most severe vulnerability (CVE-2021-31886 ) with CVSS3.1 score of 9.8 is a remote code execution that affects FTP server.
FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
Please find the attached file for the complete list of CVEs
Complete protection against NUCLEUS:13 requires patching devices running the vulnerable versions of Nucleus. Siemens has released its official patches and device vendors using this software should provide their own updates to customers. Below are mitigation strategies for network operators:
· Discover and inventory devices running Nucleus. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running Nucleus. The script is updated constantly with new signatures to follow the latest development of our research.
· Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.
· Monitor progressive patches released by affected device.
· Monitor all network traffic for malicious.
· The table below provides recommended mitigations for each vulnerability:
|CVE||Affected component||Mitigation Recommendation|
|FTP / TFTP server||Disable FTP/TFTP if not needed, or whitelist connections.|
|DHCP client||Use switch-based DHCP control mechanisms: protocol-aware network switches may be configured to block DHCP responses from rogue servers (“DHCP snooping”). Alternatively, firewalls can be configured in a similar fashion. As a last resort, use static IP addresses.|
|TCP / UDP / IP / ICMP||Monitor traffic for malformed packets and block them. Having a vulnerable device behind a properly configured firewall should be sufficient.|