Security News > 2021 > November > 13 New Flaws in Siemens Nucleus TCP/IP Stack Impact Safety-Critical Equipment

As many as 13 security vulnerabilities have been discovered in the Nucleus TCP/IP stack, a software library now maintained by Siemens and used in three billion operational technology and IoT devices that could allow for remote code execution, denial-of-service, and information leak.

Collectively called "NUCLEUS:13," successful attacks abusing the flaws can "Result in devices going offline and having their logic hijacked," and "Spread[ing] malware to wherever they communicate on the network," researchers from Forescout and Medigate said in a technical report published Tuesday, with one proof-of-concept successfully demonstrating a scenario that could potentially disrupt medical care and critical processes.

Siemens has since released security updates to remediate the weaknesses in Nucleus ReadyStart versions 3 and 4.

Primarily deployed in automotive, industrial, and medical applications, Nucleus is a closed-source real-time operating system used in safety-critical devices, such as anesthesia machines, patient monitors, ventilators, and other healthcare equipment.

ForeScout's telemetry analysis has revealed closed to 5,500 devices from 16 vendors, with most of the vulnerable Nucleus devices found in the healthcare sector followed by government, retail, financial, and manufacturing.

In an independent advisory, the U.S. Cybersecurity and Infrastructure Security Agency urged users to take defensive measures to mitigate the risk of exploitation of these vulnerabilities, including minimizing network exposure for all control system devices, segmenting control system networks from business networks, and using VPNs for remote access.

News URL

https://thehackernews.com/2021/11/13-new-flaws-in-siemens-nucleus-tcpip.html