Security researchers have uncovered serious vulnerabilities in the TCP/IP stack of a real-time operating system (RTOS) called Nucleus that's used in safety-critical devices across many industry verticals.
The flaws, discovered by researchers from Forescout and Medigate Labs, can lead to denial of service (DoS), information leaks and remote code execution (RCE). Collectively dubbed NUCLEUS:13, they are part of Forescout's year-long Project Memoria that analysed 14 different TCP/IP stacks used in embedded systems.
The Nucleus RTOS is currently owned by Siemens, but it has a 23-year history. Because of its age, lightweight footprint and its wide support for various circuit boards and CPU architectures, the OS made its way over the years into potentially billions of devices used in hospitals and other medical facilities, factories and industrial installations, automotive and avionics systems, and even IoT chipsets and radio baseband processors used in phones and wireless equipment.
A scan of its own device cloud allowed Forescout to identify 5,500 vulnerable devices from 16 vendors in the networks of 127 customers.
Thirteen of those customers had over 100 vulnerable devices on their networks, with healthcare being the most impacted sector followed by government, retail, finance and manufacturing. The OS seems particularly prevalent in anesthesia machines, patient monitors, defibrillators, ultrasound machines and other healthcare devices.
The NUCLEUS:13 flaws
Like all TCP/IP stacks, the Nucleus NET suite contains implementations of the most common protocols that are needed to communicate over IP networks, including IPv4, TCP, UDP, ICMP, FTP, TFTP, and DHCP.
Because they ingest and process a multitude of packet and data formats, typically through unauthenticated communications with other devices, TCP/IP stacks present a significant attack surface. These internet protocol suites also sit at the core of operating systems, interacting directly with their kernels, which means any successful exploit will result in full system privileges.
The TCP/IP implementations found in general-purpose operating systems like Windows or Linux have received a lot of scrutiny from the security research community over the years, but the same can't be said for the usually proprietary TCP/IP stacks of the many real-time operating systems used in the embedded device world.
The three RCE flaws that are part of the NUCLEUS:13 report are located in the FTP server implementation of Nucleus NET and are the result of improper validation of the length of certain commands which can result in stack-based buffer overflow conditions. Identified as CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 the flaws are rated with 9.8 (critical) and 8.8 (high) severity scores.
"At a high level, to trigger CVE-2021-31886, attackers perform authentication attempts on the affected FTP server, sending the FTP 'USER' command with a username that is larger than the internal buffer designated to hold the input of this command (note that the actual sise of this buffer may vary)," the researchers explained in their technical report.
"Sending a large-enough username results in a stack-based buffer overflow, allowing performance of controlled writes into the memory of the affected device, hijacking the execution flow and executing attackers' code with few constraints. Note that the exploitation does not require any authentication on the target, as the vulnerability is triggered for any input of the 'USER' command that has a specific length."
Exploitation of CVE-2021-31887 and CVE-2021-31888 is similar but exploits a similar lack of input validation on the PWD/XPWD and MKD/XMKD commands. Using queries on the SHODAN public search engine the researchers found over 2,200 publicly accessible devices running the Nucleus FTP server.
Of course, that doesn't come close to reflecting the scope of the problem, since most vulnerable devices are likely only accessible from inside corporate networks. But as attackers have proven time and time again, getting access to networks is not very complicated and can be achieved in a variety of ways.
Another nine vulnerabilities found in the Nucleus NET TCP/IP stack can result in DoS conditions or information leaks that can expose information from the device's memory, or sometimes both. These are rated with severity scores between 7.1 and 8.8.
For devices that are supposed to always be on and support mission-critical functions, unexpected crashes or disruptions in their ability to send and receive data can have a serious impact. In the case of medical devices, it could endanger a patient's life.
Two of the DoS flaws are located in the TCP server, four in the DHCP client, one in the ICMP implementation and one in the UDP implementation. All are the result of improper validation of the length of certain values inside packets received over those protocols.
The final vulnerability and lowest rated one (5.3) is located in ICMP and can be exploited to force a vulnerable device to send ICMP echo replies to arbitrary hosts on the network. This is a technique commonly used in DDoS reflection attacks where source IP address spoofing is used.
Mitigation for the NUCLEUS:13 vulnerabilities
Siemens has released patches for the NUCLEUS:13 vulnerabilities but users of vulnerable devices will need to wait for their respective vendors to integrate them and release firmware updates.
Unfortunately, as discovered by Forescout during their Memoria project, many device manufacturers are bad at releasing timely security patches or even publicly acknowledging that their products are affected by serious vulnerabilities.
In the meantime, vulnerable device owners can try to disable or block access to the Nucleus FTP/TFTP server or whitelist connections through firewall rules. They can also use switch-based DHCP control mechanisms to block DHCP responses from rogue servers and can put vulnerable devices behind a firewall that can monitor for and block malformed TCP, UDP, IP and ICMP traffic.