A set of 13 critical vulnerabilities found in Siemens Nucleus TCP/IP stack could enable a host of nefarious activities, including remote code execution, denial-of-service attacks, or data leaks. Nucleus is used in numerous medical devices, such as anesthesia machines and patient monitors.

Dubbed Nucleus:13, the vulnerabilities may be present in millions of devices in communication with the TCP/IP stack. For healthcare, Forescout data shows there are 2,233 devices running with the Nucleus vulnerabilities.

Nucleus NET is the TCP/IP stack of the Nucleus Real-time Operating System (RTOS), initially released in 1993 by Accelerated Technology. It was acquired by Mentor Graphics and then Siemens in 2017. Nucleus is still used in critical safety devices used by hospitals and the healthcare sector, including building automation systems that control lighting and ventilation.

Forescout Senior Research Manager Daniel dos Santos told SC Media Shodan.io shows a decrease in the number of internet-exposed devices using the stack. However, there are still many devices connected to mission-critical entities, including hospitals.

The flaws were disclosed and analyzed by Forescout Research Labs with support from Medigate Labs. Forescout’s Project Memoria centers around assessing security vulnerabilities and related threats against OT, IT, IoT, and IoMT devices, and supporting entities with remediation.

CVE 2021-31885 is the most critical flaw, ranked 9.8 in severity. The file transfer protocol does not properly validate the length of the USER command, which could lead to stack-based buffer overflows that prompt denial-of-service conditions and remote code execution.

Two other  FTP server flaws are ranked 8.8 in severity: one is caused by improper validation of the length of the PWD/XPWD command, the other does not properly validate the MKD/XMKD command. Both cause stack-based buffer overflows that lead to denial-of service conditions.

One more 8.8 severity flaw exists in the Dynamic Host Configuration Protocol (DHCP) client application, which “assumes the data supplied with the ‘Hostname’ DHCP option is NULL terminated.” The report shows that in cases where the global hostname variable is not defined, it could cause out-of-bound reads, writes, and denial-of-service conditions.

One final critical flaw ranked 8.2 is caused by the stack not checking the total length of the ICMP payload in the IP header, which could enable information leaks and DoS conditions, “depending on the network buffer organization in memory.”

Additional flaws are caused by the stack failing to check lengths in other payloads or options, including the UDP, vendor options, while a TFTP server application vulnerability could allow an unauthorized actor to read the TFTP memory buffer content by sending malformed commands.

As with previous Forescout research on similar vulnerabilities, like NAME:WRECK, “vulnerabilities in TCP/IP stacks that have been silently patched may still affect several devices,” according to the report. For example, the CVE-2016-20009 was disclosed in 2016 but is still listed in critical, vulnerable devices.

Understanding where the vulnerable code is present has been notoriously challenging, the researchers explained. The official Nucleus website shows the RTOS deployed in over 3 billion devices, such as ZOLL defibrillators or ZONARE ultrasound machines, in healthcare. The 3 billion statistic likely refers to device components, including IoT chipsets.

Shodan.io shows more than 2,200 instances of devices running the critically vulnerable Nucleus FTP. As noted, there’s been a 13% decrease in use of the FTP servers and a 25% decrease in exposed devices operating the RTOS.

Researchers attribute the successful decline in vulnerable devices to its NAME:WRECK research that “most likely brought increased attention to securing publicly exposed embedded devices.

Siemens already issued patches for all 13 vulnerabilities, some of which had been previously patched in existing stack versions but were never issued CVEs. Forescout stressed that complete protection against the Nucleus vulnerabilities requires organizations to patch all devices operating with the vulnerable software versions.

However, healthcare’s patching challenges are well known, much of which stems from challenges with understanding what devices are operating with the flaws but also where the device lives on the network. Forescout released a frequently updated, open-source script to support entities with detecting Nucleus devices on their network.

System administrators were also encouraged to enforce segmentation controls and proper network hygiene to mitigate risks posed by vulnerable devices, in addition to restricting external communication paths and isolating vulnerable devices in zones.

Entities should always monitor for progressive patches issued by device vendors and implement remediation plans for vulnerable asset inventories able to balance risks to business operations with continuity requirements.

Further, the FTP/TFTP should be disabled if it’s not needed on the device, or connections should be whitelisted.

“Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible zero-days,” Forescout urged. “Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators.”

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency issued its own alert following the release of Forescout’s research, which urges critical infrastructure entities to review the advisory and apply the critical mitigations.