Full Report
Multiple vulnerabilities (also known as “NUCLEUS:13”) have be identified in the Nucleus RTOS (real-time operating system) and reported in the Siemens Security Advisory SSA-044112: https://cert-portal.siemens.com/productcert/html/ssa-044112.html. Capital Embedded AR Classic uses an affected version of the Nucleus software and inherently contains several of these vulnerabilities. Siemens has released a new version for Capital Embedded AR Classic R20-11 and recommends to update to the latest version. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: NUCLEUS:13 Vulnerabilities in Capital Embedded AR Classic
## CVE Details
This advisory covers 8 specific vulnerabilities with a combined maximum severity.
- **CVE IDs:**
- **CVE-2021-31882**: 8.2 (High) | CWE-119
- **CVE-2021-31889**: 7.5 (High) | CWE-191
- **CVE-2021-31890**: 7.5 (High) | CWE-240
- **CVE-2021-31344**: 7.5 (High) | CWE-125
- **CVE-2021-31346**: 7.5 (High) | CWE-125
- **CVE-2021-31883**: 7.1 (High) | CWE-119
- **CVE-2021-31345**: 6.5 (Medium) | CWE-120
- **CVE-2021-31881**: 6.5 (Medium) | CWE-119
- **CVSS Score:** Base 8.2 (High) / CVSS v4.0: 6.9
- **CWE:** Includes CWE-119 (Memory Buffer), CWE-191 (Integer Underflow), CWE-125 (Out-of-bounds Read), and CWE-120 (Buffer Copy).
## Affected Systems
- **Products:** Capital Embedded AR Classic (formerly Capital VSTAR).
- **Versions:**
- **Capital Embedded AR Classic R20-11:** All versions prior to V2303.
- **Capital Embedded AR Classic 431-422:** All versions.
- **Configurations:** Systems utilizing the Nucleus NET networking stack, specifically those with DHCP client functionality enabled or those exposed to external network traffic.
## Vulnerability Description
The "NUCLEUS:13" vulnerabilities reside in the Nucleus NET networking stack integrated into the Capital Embedded AR Classic platform. The flaws involve:
- **Memory Corruption:** Improper validation of DHCP Request and ACK packet lengths (Vendor options) leading to buffer overflows or DoS.
- **Out-of-Bounds Access:** Issues in ICMP and UDP header processing allowing unauthorized data reads or system instability.
- **Logic/Structural Errors:** Improper handling of TCP SACK options (Integer Underflow) and inconsistent TCP payload lengths defined in IP headers, leading to Information Leaks and Denial-of-Service.
## Exploitation
- **Status:** PoC available (Publicly disclosed as NUCLEUS:13).
- **Complexity:** Low.
- **Attack Vector:** Network and Adjacent (depending on the specific CVE; DHCP-related flaws require adjacency, while TCP/ICMP flaws may be routable via Network).
## Impact
- **Confidentiality:** Medium (Information Leaks via out-of-bounds reads and malformed packets).
- **Integrity:** None.
- **Availability:** High (System crashes, infinite loops, and Denial-of-Service).
## Remediation
### Patches
- **Capital Embedded AR Classic R20-11:** Update to **V2303** or later.
- **Capital Embedded AR Classic 431-422:** No fix is currently planned; users must rely on mitigations.
### Workarounds
- **Disable DHCP:** For CVE-2021-31881, 31882, and 31883, disable the DHCP client functionality by deselecting `TcpIpIpV4General/TcpIpDhcpClientEnabled`. Use static IP addresses instead.
- **Network Segmentation:** For TCP/ICMP/UDP vulnerabilities, place affected ECUs behind properly configured gateways or firewalls.
- **Environmental Security:** Follow Siemens' operational guidelines for Industrial Security to restrict network access to trusted environments only.
## Detection
- **Indicators of Compromise:** Unusual volume of malformed DHCP ACK/Request packets, malformed TCP packets with corrupted SACK options, or unexpected ICMP/UDP-related system reboots.
- **Detection methods:** Network Intrusion Detection Systems (IDS) can be configured to flag malformed TCP SACK options and inconsistent IP/TCP payload length headers.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-620288.html
- **Related Nucleus Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-044112.html
- **Siemens Operational Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security