Researchers have discovered a set of 13 vulnerabilities in the TCP/IP network communication stack that impacts safety-critical devices, such as anesthesia machines and patient monitors used in hospitals.
The collection of flaws, called NUCLEUS:13 by researchers with Forescout in a Tuesday analysis, specifically exist in Nucleus NET, part of the TCP/IP set of communication protocols that implement basic network communication for IP-connected devices. Nucleus NET is the TCP/IP stack of the Nucleus Real-Time Operating System (RTOS), which was originally developed in 1993 and has been deployed across many types of critical-safety devices, including medical, automotive and industrial systems. Siemens, which currently owns Nucleus, has issued patches for the flaws - however, researchers warn that device manufacturers still need to roll out updates, and device end users may face various patch management challenges.
Daniel dos Santos, senior research manager at Forescout, said that none of the vulnerabilities require authentication and most of them can be exploited remotely.
“To achieve remote code execution an attacker needs to understand details about the device being exploited (memory, architecture, firmware, etc.) and needs to spend some time getting a payload that actually achieves the intended outcome,” he said.
While the potential impact of the 13 vulnerabilities varies, ranging from denial of service (DoS) to information leaks, the three most severe vulnerabilities allow for remote code execution (CVE-2021-31886, CVE-2021-31887 and CVE-2021- 31888). These three flaws affect the default FTP server application shipped with the Nucleus TCP/IP stack. One of the most serious flaws (CVE-2021-31886) has a CVSS score of 9.8 and stems from the FTP server not properly validating the length of the “USER” command. This can lead to stack-based buffer overflows - ultimately allowing attackers to launch a DoS or remote code execution attack. Exploitation of this flaw does not require any authentication on the target, said researchers.
“At a high level, to trigger CVE-2021-31886, attackers perform authentication attempts on the affected FTP server, sending the FTP “USER” command with a username that is larger than the internal buffer designated to hold the input of this command (note that the actual size of this buffer may vary),” they said.
“The difficulties start with vendors identifying vulnerable devices. This is not simple because often they are unaware of all the software components that go into a specific device model.”
In a real-world scenario, an attacker could target a train's automation controller that leverages Nucleus. These controllers connect both to the train model and to sensors at a station, in order to signal the train to stop for a certain period of time. In a successful attack, the attacker could crash the controller by sending the crafted FTP packet that exploits CVE-2021-31886, causing a DoS condition - meaning the train would potentially not stop at the station when it's supposed to, said researchers.
Siemens has released patches for all the vulnerabilities, with researchers noting that some of the flaws had already been patched in existing versions of the stack but were never issued CVE IDs. However, vendors of the devices using this software still need to provide their own updates to customers. And from the perspective of end users, applying these patches can be challenging. Many of the devices are not centrally managed, for instance, and some vulnerable devices running vulnerable Nucleus NET-based firmware are mission-critical (such as medical devices or industrial control systems), meaning that they are more difficult to take offline.
“The difficulties start with vendors identifying vulnerable devices,” said dos Santos. “This is not simple because often they are unaware of all the software components that go into a specific device model. After that, each device vendor must get the stack patches from Siemens and produce their own patches for their devices - the issue here is that some devices use end-of-life versions of the stack or the device vendors may not provide active support to the device as well. Then end users have to gather all patches from vendors in their network and apply them, which usually requires at least rebooting the device, without disrupting their operation.”
TCP/IP stack flaws are notoriously vulnerable because they include codebases that were created decades ago, and they contain several unauthenticated functionalities that make them attractive to cybercriminals. Previously, researchers discovered a set of 19 flaws in the Treck TCP/IP stack (called Ripple20), a set of 33 vulnerabilities affecting four open-source TCP/IP stacks (called Amnesia:33) and nine flaws (collectively dubbed Name:Wreck) stemming from weaknesses of Domain Name System (DNS) protocol implementations in TCP/IP stacks. Researchers first discovered this most recent set of TCP/IP flaws starting in February, and have been in communication with Siemens since April. Siemens started working on the case and produced patches in September, said dos Santos.
“In the meantime, we contacted coordinating agencies (ICS-CERT, CERT/CC, BSI in Germany and others) to alert potentially affected vendors that we had identified,” he said. “These vendors are still trying to confirm the vulnerabilities and issue their patches.”