Full Report
The IPv6 stack of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contains two vulnerabilities when processing IPv6 headers which could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Nucleus RTOS IPv6 Stack Denial of Service (CVE-2021-25663, CVE-2021-25664)
## CVE Details
- **CVE ID:** CVE-2021-25663, CVE-2021-25664
- **CVSS Score:** 7.5 (CVSS v3.1) / 8.7 (CVSS v4.0) (High)
- **CWE:** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
## Affected Systems
- **Products:** Nucleus NET (Networking component within Nucleus RTOS), Capital Embedded AR Classic, Nucleus ReadyStart V3/V4.
- **Versions:**
- **Capital Embedded AR Classic 431-422:** All versions affected by both CVEs.
- **Capital Embedded AR Classic R20-11:** All versions < V2303 affected by both CVEs.
- **Nucleus NET:** All versions affected by both CVEs.
- **Nucleus ReadyStart V3:** All versions < V2017.02.4 affected by both CVEs.
- **Nucleus ReadyStart V4:** All versions < V4.1.0 affected by both CVEs.
- **Nucleus Source Code:** All versions including the affected IPv6 stack.
- **Configurations:** Systems utilizing the IPv6 stack component potentially processing specially crafted IPv6 headers.
## Vulnerability Description
Two separate vulnerabilities exist in the IPv6 stack (Nucleus NET) related to processing IPv6 headers, specifically extension headers. Both flaws stem from insufficient length checking, leading to an infinite loop condition when the affected function processes crafted header length values.
1. **CVE-2021-25663:** The function processing general IPv6 headers does not check the lengths of extension header options correctly, allowing an attacker to induce an infinite loop via crafted length values.
2. **CVE-2021-25664:** The function processing the Hop-by-Hop extension header and its options lacks length checks, allowing an attacker to induce an infinite loop via arbitrary length values.
Both vulnerabilities result in a Denial of Service (DoS) condition for the affected system.
## Exploitation
- **Status:** PoC available (Implied by historical context related to validation and patching focus on denial of service vulnerabilities). The CVSS E:P (Exploitability:<bos>.v3.1) suggests Proof-of-Concept existed at the time of scoring.
- **Complexity:** Low (CVSS AC:L - Attack Complexity: Low)
- **Attack Vector:** Network (CVSS AV:N - Attack Vector: Network)
## Impact
- **Confidentiality:** No Impact (C:N)
- **Integrity:** No Impact (I:N)
- **Availability:** High Impact (A:H - Complete loss of availability due to Denial of Service/Infinite Loop)
## Remediation
### Patches
- **Capital Embedded AR Classic R20-11:** Update to **V2303** or later version.
- **Nucleus ReadyStart V3:** Update to **V2017.02.4** or later version.
- **Nucleus ReadyStart V4:** Update to **V4.1.0** or later version.
- **Nucleus Source Code:** Contact customer support for patch/update information.
- **Capital Embedded AR Classic 431-422:** Currently **no fix is planned**.
### Workarounds
For products where fixes are not yet available (e.g., Capital Embedded AR Classic 431-422):
1. **Disable IPv6 functionality** if it is not required, by deselecting the `TcpIpIpV6General/IpV6Enabled` Pre-Compile configuration option.
2. Implement general security measures (see below).
## Detection
- **Indicators of Compromise:** Unexplained device crashes or unresponsiveness correlated with periods of network reconnaissance or heavy, unusual IPv6 traffic directed at the device.
- **Detection methods and tools:** Network intrusion detection systems (NIDS) monitoring IPv6 traffic streams for malformed packets (specifically those containing unusual extension header lengths).
## References
- [Siemens Security Advisory SSA-248289](https://cert-portal.siemens.com/productcert/html/ssa-248289.html)