13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities Identified in Medical Devices

13 vulnerabilities were discovered in the Siemens Nucleus RTOS TCP/IP stack that threat actors can potentially exploit remotely to carry out arbitrary code execution, do a denial-of-service attack, and acquire sensitive data.

The vulnerabilities, referred to as NUCLEUS:13, are found to have an affect on the TCP/IP stack and linked FTP and TFTP services of the (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS). This networking component is utilized in numerous safety-critical devices. The healthcare sector has medical devices that use Nucleus for example patient monitors and anesthesia machines.

One of the critical vulnerabilities that have a CVSS v3 severity score of 9.8 out of 10 could permit remote code execution. Ten high severity vulnerabilities have CVSS scores between 7.1 and 8.8. Two medium-severity vulnerabilities have CVSS scores of 5.3 and 6.5.

Forescout Research Labs’ security researchers identified the vulnerabilities. Researchers at Medigate provided them with assistance.

These Nucleus RTOS products are affected by the vulnerabilities:

  • Nucleus NET: All versions
  • Capital VSTAR: All versions
  • Nucleus Source Code: All versions
  • Nucleus ReadyStart v4: All versions before v4.1.1
  • Nucleus ReadyStart v3: All versions before v2017.02.4

Determining where a vulnerable code is utilized is a problem. The researchers tried to calculate the effect of the vulnerabilities according to facts gathered from the official nucleus site, the Forescout device cloud, and the Shodan search engine. Healthcare is the most severely impacted sector. There were 2,233 vulnerable healthcare devices identified as vulnerable. There were 1,066 government devices, 348 retail devices, 326 financial devices, and 317 manufacturing devices identified as vulnerable. In other industry sectors, 1,176 vulnerable devices were found. The use of the vulnerable devices is as follows: 76% for creating automation, 13% in operational technology, 5% IoT, 4% for networking, and 2% were computers operating on Nucleus.

The report about the vulnerabilities was submitted to Siemens as required in the responsible disclosure guidelines. Siemens already released patches to correct all the vulnerabilities that were discovered. Siemens stated a number of the vulnerabilities were discovered and resolved in earlier versions released, however, no CVEs were given.

Using patches to correct the vulnerabilities could be difficult, particularly for embedded devices as well as devices with a mission-critical nature, like devices employed in healthcare services.

In case it’s not possible to apply the patches, Forescout and Siemens suggest employing mitigating measures to minimize the opportunity for exploitation of the vulnerabilities. Siemens advises securing network access to vulnerable devices with best-suited mechanisms and making sure the devices are used in protected IT areas that were set up according to Siemens’ operational instructions.

Forescout has introduced an open-source script with active fingerprinting to identify devices using Nucleus for purposes of discovery and inventory. After locating the devices, Forescout suggests implementing segmentation controls and doing appropriate network hygiene, such as limiting external communication paths and separating or controlling vulnerable devices in a certain place until eventually they could be patched.

Additionally, progressive patches offered by vendors of impacted devices ought to be supervised and all network traffic should be inspected for malicious traffic. A remediation plan must be created for all vulnerable property that balances business continuity demands with risk.