Worst security flaw can lead to remote code execution
Researchers have disclosed 13 vulnerabilities in the Nucleus TCP/IP stack, the worst of which can be used to remotely execute code.
On November 9, Forescout Research Labs said the set of security flaws, collectively named NUCLEUS:13, were found with the assistance of Medigate Labs in Nucleus NET, the TCP/IP stack of the Nucleus Real-time Operating System (RTOS).
Nucleus, developed by ATI 28 years ago and now managed by Siemens, is an OS for embedded devices that are considered ‘safety-critical’ in industries including manufacturing, the industrial sector, and healthcare.
In an advisory, the cybersecurity team said a total of 13 vulnerabilities have been found, ranging in severity from CVSS 5.3 to 9.8.
The most severe vulnerability is CVE-2021-31886, a CVSS 9.8 buffer overflow flaw.
This is caused by the Nucleus FTP server failing to properly validate the length of the “User” command, meaning that if an authentication request is sent with a very large username –whether it is valid or not – this can be exploited to trigger denial-of-service or to perform a remote code execution (RCE) attack.
Four other vulnerabilities also achieved high severity scores: CVE-2021-31346 (CVSS 8.2), an unchecked ICMP payload issue prompting data leaks and denial-of-service conditions; CVE-2021-31884 (CVSS 8.8), an out-of-bound read/write bug caused by errors in hostname definitions, and both CVE-2021-31887 and CVE-2021-31888 (CVSS 8.8), two FTP server validation command problems which could be used to trigger denial-of-service and RCE.
In addition, eight further vulnerabilities, considered less severe, were disclosed:
- CVE-2021-31344 (CVSS 5.3): ICMP echo packets with fake IP options can be sent to hosts
- CVE-2021-31345 (CVSS 7.5): Unchecked UDP payloads can lead to information leaks, denial-of-service
- CVE-2021-31881 (CVSS 7.1): Length validation failures in the DHCP client, leading to denial-of-service
- CVE-2021-31882 (CVSS 6.5): Length validation failures in DHCP ACK packets, causing denial-of-service
- CVE-2021-31883 (CVSS 7.1): Length validation failures in DHCP vendor options, also leading to denial-of-service
- CVE-2021-31885 (CVSS 7.5): Malformed TFTP commands could be sent to read the TFTP memory buffer
- CVE-2021-31889 (CVSS 7.5): Information leaks, denial-of-service caused by malformed TCP packets with corrupted SACK options
- CVE-021-31890 (CVSS 7.5): Unchecked TCP payload lengths causing data leaks, denial-of-service
Assessing the real-world impact is difficult, but when Shodan was first queried on August 5, over 2,200 vulnerable FTP and RTOS instances were found.
“Real-world exploitation is easy to achieve for denials of service and harder for remote code execution because it depends on specifics of each device,” Forescout told The Daily Swig.
“This is true for NUCLEUS:13 [...] but in both cases (DoS and RCE), exploitation in-the-wild has to bring a financial advantage to the attackers, since few incidents nowadays are not financially motivated.”
Forescout has published a list of advisories related to vendors who may be impacted by NUCLEUS:13 on GitHub.
Siemens has developed patches to resolve the vulnerabilities and device vendors are expected to release their own updates. Some of the bugs were resolved in earlier stack versions.
The researchers recommend that updates be applied to vulnerable software versions once they are available.
Forescout told us that at the time of writing, 1,001 devices on Shodan still contain the FTP fingerprint and 1,230 contain the OS fingerprint, changes of -168 and +140, respectively, or a total of -28.
As patching embedded devices can be “notoriously difficult due to their mission-critical nature”, the team has also provided exploit mitigation recommendations including the use of the Project Memoria script to detect devices running Nucleus; the enforcement of segmentation controls, and the recommendation that network traffic is monitored for suspicious behavior.