13 Vulnerabilities Found in the Nucleus TCP/IP Stack
With support from Medigate Research Labs, security researchers at Forescout found 13 new vulnerabilities affecting Nucleus NET, the TCP/IP stack of Nucleus’s Real-time Operating Systems (RTOS). A company called Accelerated Technology originally developed the software, in 1993. In 2002, Mentor Graphics acquired the stack and the RTOS for an undisclosed sum. Since January 2021, Mentor has been operating as a division of Siemens under the name Siemens EDA. Hundreds of hardware manufacturers use Nucleus NET in some form or another. According to the Nucleus website, more than 3 billion devices make use of its RTOS.
Medical Devices at Risk
The newly discovered vulnerabilities range in severity from 5.3 (medium risk) to 9.8 (highly critical), on the Common Vulnerability Scoring System (CVSS). Depending on the configuration of the TCP/IP stack, the flaws could allow remote code execution, denial of service attacks (DDoS), and information leaks. “Understanding where the vulnerable code is present is notoriously challenging”, said Forescout. “We tried to estimate the impact of NUCLEUS:13 based on the evidence collected during our research, using three main sources: the official Nucleus website, Shodan Queries and Forescout’s Device Cloud.” The potential risks vary. But in the case of critical medical devices, like anesthesia machines, ventilators, operating room medical devices, and various types of bedside patient monitors, the attack scenarios could have disastrous consequences.
Official Patches Released
Siemens has already released official patches for all the vulnerabilities in Nucleus. They also issued CVE IDs for the flaws they already patched in existing versions of the stack. Nonetheless, it is now up to individual vendors, companies, and health care organizations to assess the risk these vulnerabilities pose to their own hardware and systems and adjust their mitigation strategy accordingly. Taking vital devices offline to apply security updates is not a given, especially not in a medical setting. A video showing the possible effects of exploiting, for example, CVE-2021-31886, featuring Playmobil models in Forescout’s Cyber Lab, is available on YouTube. More details about some of the vulnerabilities and their exploitation can be found in Forescout’s technical report.
CISA Advisory Issued
On 9 November, CISA released an Industrial Control Systems (ICS) advisory detailing the multiple vulnerabilities found in Siemens RTOS and supporting libraries. CISA has encouraged users and administrators to review the ICS Advisory, named ICSA-21-313-03 Siemens Nucleus RTOS TCP/IP Stack, and apply the necessary mitigation measures. “General recommended mitigations for NUCLEUS:13 include limiting the network exposure of critical vulnerable devices via network segmentation and patching devices whenever vendors release patches. Some of the vulnerabilities can also be mitigated by blocking or disabling support for unused protocols, such as FTP”, added Forescout.