Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

NUCLEUS:13 – Host of vulnerabilities shatter Nucelus TCP/IP stack defenses

Researchers have disclosed 13 vulnerabilities in the Nucleus TCP/IP stack, the worst of which can be used to remotely execute code.

On November 9, Forescout Research Labs said the set of security flaws, collectively named NUCLEUS:13, were found with the assistance of Medigate Labs in Nucleus NET, the TCP/IP stack of the Nucleus Real-time Operating System (RTOS).

Nucleus, developed by ATI 28 years ago and now managed by Siemens, is an OS for embedded devices that are considered ‘safety-critical’ in industries including manufacturing, the industrial sector, and healthcare.

In an advisory, the cybersecurity team said a total of 13 vulnerabilities have been found, ranging in severity from CVSS 5.3 to 9.8.

The most severe vulnerability is CVE-2021-31886, a CVSS 9.8 buffer overflow flaw.

This is caused by the Nucleus FTP server failing to properly validate the length of the “User” command, meaning that if an authentication request is sent with a very large username –whether it is valid or not – this can be exploited to trigger denial-of-service or to perform a remote code execution (RCE) attack.

Four other vulnerabilities also achieved high severity scores: CVE-2021-31346 (CVSS 8.2), an unchecked ICMP payload issue prompting data leaks and denial-of-service conditions; CVE-2021-31884 (CVSS 8.8), an out-of-bound read/write bug caused by errors in hostname definitions, and both CVE-2021-31887 and CVE-2021-31888 (CVSS 8.8), two FTP server validation command problems which could be used to trigger denial-of-service and RCE.

In addition, eight further vulnerabilities, considered less severe, were disclosed:

  • CVE-2021-31344 (CVSS 5.3): ICMP echo packets with fake IP options can be sent to hosts
  • CVE-2021-31345 (CVSS 7.5): Unchecked UDP payloads can lead to information leaks, denial-of-service
  • CVE-2021-31881 (CVSS 7.1): Length validation failures in the DHCP client, leading to denial-of-service
  • CVE-2021-31882 (CVSS 6.5): Length validation failures in DHCP ACK packets, causing denial-of-service
  • CVE-2021-31883 (CVSS 7.1): Length validation failures in DHCP vendor options, also leading to denial-of-service
  • CVE-2021-31885 (CVSS 7.5): Malformed TFTP commands could be sent to read the TFTP memory buffer
  • CVE-2021-31889 (CVSS 7.5): Information leaks, denial-of-service caused by malformed TCP packets with corrupted SACK options
  • CVE-021-31890 (CVSS 7.5): Unchecked TCP payload lengths causing data leaks, denial-of-service

Implications

Assessing the real-world impact is difficult, but when Shodan was first queried on August 5, over 2,200 vulnerable FTP and RTOS instances were found.

“Real-world exploitation is easy to achieve for denials of service and harder for remote code execution because it depends on specifics of each device,” Forescout told The Daily Swig.

“This is true for NUCLEUS:13 […] but in both cases (DoS and RCE), exploitation in-the-wild has to bring a financial advantage to the attackers, since few incidents nowadays are not financially motivated.”

Forescout has published a list of advisories related to vendors who may be impacted by NUCLEUS:13 on GitHub.

Patch now

Siemens has developed patches to resolve the vulnerabilities and device vendors are expected to release their own updates. Some of the bugs were resolved in earlier stack versions.

The researchers recommend that updates be applied to vulnerable software versions once they are available.

Forescout told us that at the time of writing, 1,001 devices on Shodan still contain the FTP fingerprint and 1,230 contain the OS fingerprint, changes of -168 and +140, respectively, or a total of -28.

As patching embedded devices can be “notoriously difficult due to their mission-critical nature”, the team has also provided exploit mitigation recommendations including the use of the Project Memoria script to detect devices running Nucleus; the enforcement of segmentation controls, and the recommendation that network traffic is monitored for suspicious behavior.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/nucleus-13-host-of-vulnerabilities-shatter-nucelus-tcp-ip-stack-defenses

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Cybercriminals are increasingly leveraging extreme weather events to launch attacks on critical infrastructure sectors. Cybersecurity experts say critical infrastructure operators can leverage a set...

Cyber Security

The United States is facing an unsustainable demand for water and lacks the security posture to defend the nation’s water systems from emerging threats,...

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO