Full Report
The DHCP implementation of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contains a vulnerability that could allow an attacker to change the IP address of an affected device to an invalid value. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Input Validation Vulnerability in Nucleus RTOS DHCP Client
## CVE Details
- **CVE ID:** CVE-2019-13939
- **CVSS Score:** 7.1 (High)
- **CWE:** CWE-20: Improper Input Validation
## Affected Systems
- **Products:**
- Nucleus NET (Networking component)
- Nucleus ReadyStart (V3 and V4)
- Nucleus Source Code
- Capital Embedded AR Classic (formerly Capital VSTAR) 431-422 and R20-11
- **Versions:**
- Capital Embedded AR Classic R20-11: All versions < V2303
- Capital Embedded AR Classic 431-422: All versions
- Nucleus ReadyStart V3: All versions < V2017.02.3
- Nucleus NET & Source Code: All versions
- **Configurations:** Systems where the DHCP client functionality is enabled. Note that Nucleus SafetyCert is only affected if the included Nucleus ReadyStart prototyping bundle is used.
## Vulnerability Description
An improper input validation flaw exists in the DHCP implementation of the Nucleus NET networking component. The vulnerability allows the DHCP client to process specially crafted DHCP packets that lack sufficient validation. Successful exploitation allows a remote attacker to force the device to adopt an invalid IP address.
## Exploitation
- **Status:** PoC available (CVSS Exploitability: Proof-of-concept)
- **Complexity:** Low
- **Attack Vector:** Adjacent (Requires the attacker to be on the same local network segment as the DHCP client)
## Impact
- **Confidentiality:** None
- **Integrity:** Low (Unauthorized modification of device network settings)
- **Availability:** High (Device loses network connectivity due to invalid IP assignment, resulting in a Denial of Service)
## Remediation
### Patches
- **Capital Embedded AR Classic R20-11:** Update to V2303 or later.
- **Nucleus ReadyStart V3:** Update to V2017.02.3 or later.
- **Nucleus Source Code:** Contact Siemens customer support for specific patches.
- **Nucleus NET:** Update to the latest version of Nucleus ReadyStart V3 or V4.
### Workarounds
- **Disable DHCP:** If the feature is not required, disable the DHCP client via the `TcpIpIpV4General/TcpIpDhcpClientEnabled` pre-compile configuration option (specifically for Capital Embedded products).
- **Manual IP Assignment:** Use static IP configurations instead of DHCP to eliminate the attack vector.
- **Network Segmentation:** Protect network access and isolate affected devices within a secure IT/OT environment according to Siemens' operational guidelines.
## Detection
- **Indicators of Compromise:** Unexpected loss of network connectivity or devices reporting invalid/anomalous IP addresses (e.g., 0.0.0.0 or outside of subnet range).
- **Detection methods and tools:** Monitor local network traffic for malformed DHCP Offer or ACK packets originating from unauthorized or suspicious sources.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-434032[.]html
- **Support Portal:** hxxps://support[.]sw[.]siemens[.]com/product/1009925838/
- **Siemens Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security