On 9 November 2021, Siemens published 29 security advisories and updates with five of them rated Critical (CVSS score range of 9-10). We recommend installing the latest updates and applying the mitigations as soon as possible.
Details
Two of the critical advisories are related to a set of 13 vulnerabilities that affect the TCP/IP stack of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS), as well as its related services (FTP, TFTP).
Nucleus RTOS is a real-time operating system produced by the Embedded Software Division of Mentor Graphics, a Siemens Business. The operating system is designed for real-time embedded systems for medical, industrial, consumer, aerospace, and internet-of-things uses.
The flaws, dubbed by researchers NUCLEUS 13, could be leveraged to obtain Remote Code Execution (RCE) on vulnerable devices, create a Denial-of-Service (DOS) condition, or obtain sensitive information. The most critical of the 13 is CVE-2021-31886, an Improper Null Termination flaw that could lead to a stack-based buffer overflow. This may result in DoS conditions and RCE. CVSS v3.1 Base Score: 9.8.
- The SSA-044112 advisory lists products affected by NUCLEUS 13 as: all versions of Capital VSTAR, all versions of Nucleus NET, Nucleus ReadyStart V3 < V2017.02.4, Nucleus ReadyStart V4 < V4.1.1, and Nucleus Source Code.
- The SSA-114589 advisory addresses multiple vulnerabilities in APOGEE and TALON products that are based on Nucleus RTOS.
Another critical advisory, SSA-840188, addresses three vulnerabilities in SIMATIC WinCC. They also affect SIMATIC PCS 7 distributed control system (DCS); SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system integrated into SIMATIC PCS 7.
- The most critical vulnerability in this advisory carries a CVSS v3.1 Base Score of 9.9. Tracked as CVE-2021-40358, it is a Path Traversal vulnerability. Legitimate file operations of the affected systems do not properly neutralize special elements within the pathname. This could allow an unauthorized party to read, write or delete critical files in a restricted directory on the server.
SSA-917476 describes six vulnerabilities in SCALANCE W1750D devices. The flaws could allow someone to execute code on the affected device(s), read arbitrary files, or perform a DoS.
- The most critical of the six flaws, tracked as CVE-2021-37726, is a remote buffer overflow vulnerability in wireless access point HPE Aruba Instant (IAP) used by SCALANCE W1750D. Successful exploitation could allow for unauthenticated remote code execution, potentially resulting in the execution of arbitrary code as a privileged user on the underlying system. CVSS v3.1 Base Score: 9.8.
The SSA-675303 advisory is a minor update to an advisory published in July 2021, addressing WIBU Systems CodeMeter Runtime vulnerabilities in Siemens products.
Recommendations
If you are using any of the vulnerable products, apply the latest updates and/or the recommended mitigations as soon as possible.
Follow recommended security practices for each product in the applicable Siemens advisory.
References
Siemens Security Advisories
CISA Advisory on NUCLEUS 13 Flaws