-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-620288: Multiple Vulnerabilities (NUCLEUS:13) in CAPITAL VSTAR Publication Date: 2021-12-14 Last Update: 2022-11-08 Current Version: 1.1 CVSS v3.1 Base Score: 8.2 SUMMARY ======= Multiple vulnerabilities (also known as "NUCLEUS:13") have be identified in the Nucleus RTOS (real-time operating system) and reported in the Siemens Security Advisory SSA-044112: https://cert- portal.siemens.com/productcert/pdf/ssa-044112.pdf. CAPITAL VSTAR uses an affected version of the Nucleus software and inherently contains several of these vulnerabilities. Siemens recommends specific countermeasures for products where updates are not available. AFFECTED PRODUCTS AND SOLUTION ============================== * Capital VSTAR - Affected versions: All versions with enabled Ethernet options - Remediation: Currently no fix is available See recommendations from section "Workarounds and Mitigations" WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * CVE-2021-31344, CVE-2021-31345, CVE-2021-31346, CVE-2021-31889, CVE-2021-31890: Apply network segmentation and put the ECUs behind properly configured gateways/firewalls * CVE-2021-31881, CVE-2021-31882, CVE-2021-31883: Disable DHCP client functionality, if feature not used, by deselecting the TcpIpIpV4General/TcpIpDhcpClientEnabled Pre-Compile configuration option Please follow the "General Security Recommendations". GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial- security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== Capital VSTAR is an efficient implementation of the AUTOSAR standard. It is a complete solution including tools and a software platform to meet engineers' needs, from creating ECU extract updates to software platform configurations. Although not based on Nucleus RTOS, VSTAR includes its networking module, Nucleus NET. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2021-31344 ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. (FSMD-2021-0004) CVSS v3.1 Base Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C CWE: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') * Vulnerability CVE-2021-31345 The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006) CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-1284: Improper Validation of Specified Quantity in Input * Vulnerability CVE-2021-31346 The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007) CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-1284: Improper Validation of Specified Quantity in Input * Vulnerability CVE-2021-31881 When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of- Service conditions. (FSMD-2021-0008) CVSS v3.1 Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-125: Out-of-bounds Read * Vulnerability CVE-2021-31882 The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. (FSMD-2021-0011) CVSS v3.1 Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer * Vulnerability CVE-2021-31883 When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial- of- Service conditions. (FSMD-2021-0013) CVSS v3.1 Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer * Vulnerability CVE-2021-31889 Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. (FSMD-2021-0015) CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-191: Integer Underflow (Wrap or Wraparound) * Vulnerability CVE-2021-31890 The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017) CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-240: Improper Handling of Inconsistent Structural Elements ADDITIONAL INFORMATION ====================== Products listed in this advisory use Nucleus NET, the networking stack of Nucleus RTOS (Real-time operating system). For more details regarding the vulnerabilities reported for Nucleus RTOS refer to Siemens Security Advisory SSA-044112: https://cert- portal.siemens.com/productcert/pdf/ssa-044112.pdf For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2021-12-14): Publication Date V1.1 (2022-11-08): Removed CVE-2021-31884 as Capital VSTAR is not affected TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. Copyright: Siemens 2022 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmNpnAAACgkQlm7gTEmy ujTj6w//Z76/Ibno0daVJ76ANLYM87pNivhXY4wBvSXGt3wJ82xtOrA/36yoN3Ef gp4d28Y3xirf6VeZ7Mv64PeTbadvgcjR/AwFlGMcd2osM39PUJ65QJxSIo81ON2h dgT7Zlp08n0pUTYl05YHg07SgX0XoLCtCzndKuIUa50ztn5lA00aIm9+RWTk6eRu 7WM2tLKWOF6wj91c7NI1uSvzsJQwoIPRr+ZvQ02pW8KgOHYKhddIvU8e2jg9eMh5 +6EAPOhMXq6FPhuB8Me8X+LY2IhjBdz9p3cKmTToWShs72OQ604uQ49fgjHy8v2H 4NspH2GF9dCqky07XAmcxM/qCWvp9cKlqeqi3mjHwMpbtXUGOgDbZL0G192MzZWB kGoTgvT4/YtDo5w7ZREF0i4pXWT8sCX97qQOf1OO6QKekfLQ/EtXG3PF2horf/2H A2bo3aYPcML1bcs59h7UgmH1uQjsx7kTez/3M+69ORVPbJirQDxmo8Vcr62SG+rj HzP81xr/zhUjbFsrrPKIRvIv/sj+12a6s4dcmsyeoBGUfsOo2nwFa8dQMtbopw3b 6ajHGFRwGjY/axNZqBZAFrHzxTeHUpQcuO2a0xn18zUReVnrP3vElylB/qV3/P2o 4bIIr44RVab7xF8mkOPrR6TfmrfRma7v4bVKab7i1LmTpJhpL10= =Wbch -----END PGP SIGNATURE-----