Nucleus:13 flaws affect devices used in the medical and aerospace sectors

13 critical vulnerabilities discovered in the Nucleus TCP/IP stack

Researchers found 13 security vulnerabilities affecting critical infrastructures

Researchers revealed that the pack of 13 security flaws in the Nucleus real-time operating system forms Siemens got detected.^[1] The system powers many devices that medical, industrial, automotive, aerospace sectors use, so affected devices are critical in such infrastructures.^[2] The flaws dubbed NUCLEUS:13 can be used to obtain remote code execution on venerable devices, create denial-of-service^[3] attacks, and steal information that is valuable, sensitive, or critical when in wrong hands.

The initial research states:

These vulnerabilities allow for remote code execution, denial of service, and information leak. Nucleus has been in use for nearly 30 years in safety-critical devices, such as anesthesia machines, patient monitors, and others in healthcare.

Forescout and Medigate were the researchers who discovered the security issues.^[4] This is the firm that specifically focuses on healthcare providers and their device security. This reveal took place while conducting a larger analysis via the project named Project Memoria that managed to put industry peers, research institutes, universities to investigate the security of various TCP/IP stacks. The project lasted for 18 months and resulted in the discovery of 78 vulnerabilities.

Security flaws with medium and high severity ratings

One of the discovered bugs stands out the most because the CVE-2021-31886 flaw^[5] is a critical bug that affects the FTP server component. The vulnerability could allow the attacker to take control of the targeted device. The severity rate for this flaw is the rare 9.8. Other security issues range from 7 to 8.8 in severity.

Researchers state that the problem is because of the improper validation of the length of the USER command in the FTP server. This is why stack-based buffer overflows and possibly results in DoS or remote code execution attacks. Other high-severity rate flaws have potential RCE impact and trigger issues with FTP server components.

The vulnerable suite is used in billions of devices across critical infrastructures where those attacks can have major consequences. According to the listings in the report, at least 5,000 devices are running the version with security bugs and most of these devices are used in healthcare sectors. The second biggest number of vulnerable devices is located in government infrastructure.

The hacking of critical sector organizations can have major consequences

Researchers described two possible hacking scenarios to show how serious these flaws are. The first one was focused on the target that is a presence sensor of the railway infrastructure. The indicator detects when the train arrives at the station, so stops and break time ins controlled. Real attacks leveraging these flaws could affect the normal functioning of automated train systems with the malicious FTP packet.

Nucleus-power controllers can crash and prevent particular transportation from stopping at the station and leading to crashes with other trains on the same track. Such attacks can have a major number of physical victims. Another scenario involved the hospital as the target. Building automation can crash due to the controller automatically switching on a fan and lights when someone enters the room.

It is possible to mitigate such flaws. The advisory from the U.S Cybersecurity and Infrastructure Security Agency notes that infrastructures can minimize network exposure for all control systems, devices, and systems. This is the way to ensure that systems are not accessible from the internet.

Locating system networks and devices behind firewalls and isolating them from the business network can be crucial. If patching is not possible, monitoring and enforcing segmentation can be the best option. The report from researchers lists more options for a mitigation strategy.