Vedere Labs, with support from Medigate Labs, have discovered a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack, which we are collectively calling NUCLEUS:13. These vulnerabilities allow for remote code execution, denial of service, and information leak. Nucleus has been in use for nearly 30 years in safety-critical devices, such as anesthesia machines, patient monitors, and others in healthcare.
billion devices at risk
The Impact of NUCLEUS:13
NUCLEUS:13 vulnerabilities impact the closed source Nucleus TCP/IP stack that is used in billions of OT and IoT devices, especially in medical devices, automotive and industrial systems. Among the vulnerabilities are Denial of Service and Remote Code Execution. Successful attacks can result in devices going offline and having their logic hijacked. Hijacked devices can spread malware to wherever they communicate on the network.
Dive into the Research
This report discloses 13 vulnerabilities for the closed source Nucleus TCP/IP stack and proposes solutions for network operators and the cybersecurity community. Some devices, but not all, are vulnerable to exploitation. Learn which types of devices are vulnerable and the characteristics that make them vulnerable. You will also learn about immediate steps to mitigate the risks caused by the Nucleus vulnerabilities.
Learn How Forescout Can Help
Forescout recently released an open-source script to discover devices running the vulnerable Nucleus TCP/IP stack. Our FAQ includes insights on patching and remediation, segmentation enforcement and monitoring network traffic for malicious packets.
Complete protection against NUCLEUS:13 requires patching devices running the vulnerable versions of Nucleus. Siemens has released its official patches, and device vendors using this software should provide their own updates to customers. Below, we discuss mitigation strategies for network operators.
Given that patching embedded devices is notoriously difficult due to their mission-critical nature, we recommend the following mitigation strategy:
- Discover and inventory devices running Nucleus. Vedere Labs has released an open-source script that uses active fingerprinting to detect devices running Nucleus. The script is updated continuously with new signatures to reflect the latest developments from our research.
- Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths and isolate (or contain) vulnerable devices into zones as a mitigating control if they cannot be patched or until they can be patched.
- Monitor progressive patches released by affected device vendors and develop a remediation plan for your vulnerable asset inventory, balancing business risk and business continuity requirements.
- Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible 0-days. Block anomalous and malformed traffic, or at least alert its presence to network operators.
How Forescout Can Help
eyeSight uses the Security Policy Templates (SPTs) module to identify and group vulnerable/potentially vulnerable devices. A new version of the SPT package, which can identify devices vulnerable to NUCLEUS:13 can be downloaded here.
eyeInspect can detect exploitation attempts against devices running Nucleus using the new “NUCLEUS:13 Monitor” script. It can then send alerts to a SIEM/SOAR system for further analysis or enable immediate action via eyeControl, such as assigning a device to a VLAN, instructing a switch to block and isolate a device from the network or use a virtual firewall to restrict specific traffic.
eyeSegment provides network flow mapping of existing communications, which helps to identify unintended communications and enforce appropriate segmentation controls. Once vulnerable devices have been identified, they can be logically grouped to decrease the communications allowed to/from them, thereby limiting the likelihood of compromise as well as the blast radius if a compromise occurs.