NUCLEUS:13 - Dissecting the Nucleus TCP/IP stack
In the fifth study of Project Memoria – NUCLEUS:13 – Forescout Research Labs and Medigate identified a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack.
Nucleus is currently owned by Siemens. Its original release was in 1993 and, since then, it has been deployed in many industry verticals with safety and security requirements such as medical devices, automotive, and industrial systems.
Upon identification of the new vulnerabilities, Forescout Research Labs and Medigate collaborated with Siemens, CISA, CERT/CC and other agencies to confirm the findings and notify vendors.
According to Siemens website, Nucleus is deployed in 3 billion devices. Anesthesia machines, ventilators and patient monitors are among the medical devices possibly impacted by NUCLEUS:13.
The new vulnerabilities allow for Remote Code Execution or Denial of Service with three of the thirteen new vulnerabilities being critical with CVSS score of 9.9 and 10.
Forescout Research Labs and Medigate exploited one of the Remote Code Execution vulnerabilities in their labs and show the potential effects of a successful attack able to disrupt medical care and other critical processes.
General recommended mitigations for NUCLEUS:13 include limiting the network exposure of critical vulnerable devices via network segmentation and patching devices whenever vendors release patches. Some of the vulnerabilities can also be mitigated by blocking or disabling support for unused protocols, such as FTP.