Dreamstime
Cybersecurity Key 61a83d989057d

Cybersecurity Risk Lurks in a Common Industrial Operating System

Dec. 2, 2021
There are patches for these vulnerabilities, but they are difficult and other measures must be taken.

With an increased focus on critical infrastructure protection, organizations need to pay attention to operational technology vulnerabilities. New research from Forescout Research Labs, dubbed NUCLEUS:13, has identified more than a dozen critical vulnerabilities in the Nucleus TCP/IP stack, enabling remote code execution, denial of service (DoS), and information leaks.

Nucleus is a real-time operating system (RTOS) that has been deployed on more than three billion devices, including automation systems, IoT devices and other operational technologies. The good news is that Siemens--the RTOS vendor—has already released patches for these vulnerabilities, but the bad news is that embedded devices are notoriously difficult to patch due to their mission-critical nature. Until organizations can patch these vulnerabilities, they need to mitigate them. Read on to learn how.

Nucleus: At the Heart of It All

Nucleus was released in 1993 and is currently owned by Siemens. According to Siemens, Nucleus has been deployed in three billion devices. Nucleus is currently distributed as ReadyStart and SafetyCert, which includes a certified version of the kernel. Since its release 28 years ago, Nucleus has been deployed in many critical industries, such as medical devices, building automation and industrial control systems (ICS).

Nucleus Net is the TCP/IP stack of Nucleus. A TCP/IP stack is software that implements basic network communication for all IP-connected devices, including Internet of Things (IoT), operational technology (OT) and information technology (IT). TCP/IP stacks are an attractive target for attack because they utilize legacy codebases developed decades ago, including protocols that cross network perimeters and an abundance of unauthenticated functionality. Unfortunately, hackers can proactively scan for exposed devices, so organizations need to act quickly to understand if they are at risk.

Understanding the Risk: Remote Code Execution, Denial of Service & Information Leaks

The vulnerabilities within NUCLEUS:13 allow for remote code execution, DoS or information leaks. Remote code execution enables attackers to instruct devices to behave in unintended ways, DoS enables attackers to paralyze operations and information leaks enable them to steal away potentially confidential information.

There are three vulnerabilities in NUCLEUS:13 that enable remote code execution. All three affect the default FTP server shipped with the Nucleus TCP/IP stack. For example, one of these vulnerabilities enables attackers to send a command that is larger than the internal buffer designated to hold the input of the command. Sending a large enough username results in a buffer overflow, enabling the attacker to write into the memory of the affected device, hijacking the execution flow, and executing the attacker’s code. 

There are six vulnerabilities in NUCLEUS:13 that enable DoS. Three of these vulnerabilities affect the DHCP client, two of them affect the TCP server, and one of them affects the IP/ICMP layers. Most of these vulnerabilities do not check the length of specific fields when processing packets, enabling the attacker to craft packets with invalid fields that will cause devices to crash when trying to process them.

There are two vulnerabilities in NUCLEUS:13 that enable information leaks. One affects the TFTP server, and the other affects IP/ICMP. In the case of the TFTP server vulnerability, attackers can read the contents of the TFTP memory buffer by sending malformed TFTP commands.

These vulnerabilities could be used to attack operational technology systems, which could result in physical system compromise. Although many devices affected by NUCLEUS:13 appear to be medical devices, they extend, for instance, into IoT devices and building automation controllers across every industry.

Building automation systems are used to control functions such as physical access controls, fire alarm systems, lighting, and HVAC (heating, ventilation, and air conditioning). Taking control of these systems may have catastrophic consequences; HVAC systems, for instance, control the temperature, humidity and air quality throughout a facility. Changing environmental parameters may damage sensitive equipment and resources.

For example, by exploiting a DoS vulnerability an attacker could stop HVAC systems, while exploiting a remote code execution vulnerability could extend the attack to change any number of variables within the controller. In the worst-case scenario, an attacker could use this compromised device to issue commands to other devices on the network. The only saving grace is that these targeted attacks require specific knowledge of a particular set of controllers and logic.

The devices affected by NUCLEUS:13 are not limited to healthcare and building automation. Programmable Logic Controllers (PLCs) are used for a wide range of process automation. For example, taking control of a PLC could enable an attacker to disrupt an automated train system. If the attack is successful, then the train could not stop at the station, creating the conditions for a collision with other trains on the track.

Remediation

Complete protection against NUCLEUS:13 requires the patching of devices that are running the vulnerable versions of Nucleus. Siemens has released its official patches, and device vendors using Nucleus should provide their own updates to customers, but network operators need to plan their own mitigation efforts – especially since mission critical systems are notoriously difficult to patch.

The first step to mitigate NUCLEUS:13 is to discover and inventory vulnerable devices. Forescout Research Labs has released an open-source script that organizations can use to detect devices running Nucleus.

Next, organizations need to enforce network segmentation controls to limit the exposure of vulnerable devices. Isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched, or until they can be patched, and restrict their external communication paths.

Additionally, organizations should monitor all network traffic for malicious packets that try to exploit these vulnerabilities. Block anomalous and malformed traffic or alert its presence to network operators when traffic cannot be blocked.

Finally, admins should monitor progressive patches released by affected device vendors and devise a remediation plan for their vulnerable assets, balancing business risks with business continuity requirements.

Unfortunately, many operational technology systems are susceptible to vulnerabilities like NUCLEUS:13 because they rely on legacy operating systems. Project Memoria has collected dozens of these vulnerabilities and US CERT publishes frequent ICS advisories. With an increased focus on critical infrastructure protection and the acceleration of IT/OT convergence, organizations have never been more concerned with OT protection. Maintaining visibility into these vulnerabilities and understanding which devices are affected is the first step to prevent them from being attacked.

Daniel dos Santos holds a Ph.D. in computer science from the University of Trento, Italy, and has published over 30 journal and conference papers on cybersecurity. He has experience in software development, security testing, and research. He is now a research manager at Forescout Technologies, leading a vulnerability and threat research team, as well as collaborating on the research and development of innovative features for network security monitoring.

About the Author

Daniel dos Santos | Senior Research Manager, Forescout

Daniel dos Santos holds a PhD in computer science from the University of Trento, Italy, and has published over 30 journal and conference papers on cybersecurity. He has experience in software development, security testing, and research. He is now a research manager at Forescout Technologies, leading a vulnerability and threat research team, as well as collaborating on the research and development of innovative features for network security monitoring.

Sponsored Recommendations

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!