-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-620288: Multiple Vulnerabilities (NUCLEUS:13) in CAPITAL VSTAR

Publication Date:        2021-12-14
Last Update:             2021-12-14
Current Version:         1.0
CVSS v3.1 Base Score:    8.8

SUMMARY
=======

Multiple vulnerabilities (also known as "NUCLEUS:13") have be identified
in the Nucleus RTOS (real-time operating system) and reported in the
Siemens Security Advisory SSA-044112:
https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf.

CAPITAL VSTAR uses an affected version of the Nucleus software and
inherently contains several of these vulnerabilities.

Siemens recommends specific countermeasures for products where updates
are not available.


AFFECTED PRODUCTS AND SOLUTION
==============================


* Capital VSTAR
  - Affected versions:
       All versions with enabled Ethernet options
  - Remediation:
       Currently no remediation is available
       See recommendations from section "Workarounds and Mitigations"


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* CVE-2021-31344, CVE-2021-31345, CVE-2021-31346, CVE-2021-31889,
CVE-2021-31890: Apply network segmentation and put the ECUs behind
properly configured gateways/firewalls

* CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable
DHCP client functionality, if feature not used, by deselecting the
TcpIpIpV4General/TcpIpDhcpClientEnabled Pre-Compile configuration option



GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

Capital VSTAR is an efficient implementation of the AUTOSAR standard. It
is a complete solution including tools and a software platform to meet
engineers' needs, from creating ECU extract updates to software platform
configurations.
 Although not based on Nucleus RTOS, VSTAR includes its
networking module, Nucleus NET.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2021-31344

  ICMP echo packets with fake IP options allow sending ICMP echo reply
  messages to arbitrary hosts on the network. (FSMD-2021-0004)

  CVSS v3.1 Base Score: 5.3
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
  CWE:                  CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

* Vulnerability CVE-2021-31345

  The total length of an UDP payload (set in the IP header) is unchecked.
  This may lead to various side effects, including Information Leak and
  Denial-of-Service conditions, depending on a user-defined applications
  that runs on top of the UDP protocol. (FSMD-2021-0006)

  CVSS v3.1 Base Score: 7.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
  CWE:                  CWE-1284: Improper Validation of Specified Quantity in Input

* Vulnerability CVE-2021-31346

  The total length of an ICMP payload (set in the IP header) is unchecked.
  This may lead to various side effects, including Information Leak and
  Denial-of-Service conditions, depending on the network buffer
  organization in memory. (FSMD-2021-0007)

  CVSS v3.1 Base Score: 8.2
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-1284: Improper Validation of Specified Quantity in Input

* Vulnerability CVE-2021-31881

  When processing a DHCP OFFER message, the DHCP client application does
  not validate the length of the Vendor option(s), leading to
  Denial-of-Service conditions. (FSMD-2021-0008)

  CVSS v3.1 Base Score: 7.1
  CVSS Vector:          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-125: Out-of-bounds Read

* Vulnerability CVE-2021-31882

  The DHCP client application does not validate the length of the Domain
  Name Server IP option(s) (0x06) when processing DHCP ACK packets. This
  may lead to Denial-of-Service conditions. (FSMD-2021-0011)

  CVSS v3.1 Base Score: 6.5
  CVSS Vector:          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

* Vulnerability CVE-2021-31883

  When processing a DHCP ACK message, the DHCP client application does not
  validate the length of the Vendor option(s), leading to
  Denial-of-Service conditions. (FSMD-2021-0013)

  CVSS v3.1 Base Score: 7.1
  CVSS Vector:          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

* Vulnerability CVE-2021-31884

  The DHCP client application assumes that the data supplied with the
  "Hostname" DHCP option is NULL terminated. In cases when global hostname
  variable is not defined, this may lead to Out-of-bound reads, writes,
  and Denial-of-service conditions. (FSMD-2021-0014)

  CVSS v3.1 Base Score: 8.8
  CVSS Vector:          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-170: Improper Null Termination

* Vulnerability CVE-2021-31889

  Malformed TCP packets with a corrupted SACK option leads to Information
  Leaks and Denial-of-Service conditions. (FSMD-2021-0015)

  CVSS v3.1 Base Score: 7.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-191: Integer Underflow (Wrap or Wraparound)

* Vulnerability CVE-2021-31890

  The total length of an TCP payload (set in the IP header) is unchecked.
  This may lead to various side effects, including Information Leak and
  Denial-of-Service conditions, depending on the network buffer
  organization in memory. (FSMD-2021-0017)

  CVSS v3.1 Base Score: 7.5
  CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-240: Improper Handling of Inconsistent Structural Elements




ADDITIONAL INFORMATION
======================
Products listed in this advisory use Nucleus NET, the networking stack
of Nucleus RTOS (Real-time operating system).

For more details regarding the vulnerabilities reported for Nucleus RTOS
refer to Siemens Security Advisory SSA-044112:
https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2021-12-14): Publication Date

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmG33oAACgkQlm7gTEmy
ujREmg/9ENelzoO0UZ6jiSI9jcL2MUoMYlAU7+0pfdWjCCWMlipTEvILviG+32J6
yEnCDY48BT9MBsNRNrZOTzkMtkf5Jvc6BvDFxnLgxnVHLkKiPz3/QwOcNdQ9PYA6
8Iv44fhdXWRI5c+5pEQaLwtjmo/RWafpuibxwNHGCvp69CWELd3cM0FAkeYFxEi7
P+0kxWLoKpA7RdiP0oH6pwaz0ZmS1lWa7Cqqep6sHh7qUqnHJ/m1CQVgSg4W/7bZ
WTI/PTNsDhjuUfBFrZbeBKGOjTTusB/Rv8SZqta+OKoK0jiQc86E1xhWmGwtg5J3
0mnLdnQwBLZqn7+t3yZTEoSdYLypT9lgi1IjtS0NfaiSSWU6PvH+X8wkZfXrKbOe
UfKCzuC7feMIRPzzQJF8oehj1cNN5Oyt1l+0p88tIK7Bzd7j/rCD20yEG/UPlNzW
XpSAneQXkmGSpD2ZEyHa7mo2rL1UFIdKbN2nxg6xnKwlmv5HMQqpYn1ZszL9zmAy
KWCXn2uqQeQHd2vR42s1KSmbj1St/ztCX0ukC++sAUjyOzvA/YG+p5lbsCeKxpl7
YX5i5QWHx5X9KJ1WrQFkVH1nFL0FnDxl0BcEIb/Vg43fF43YmxoYVnz9J/W31ROZ
qwgenOueMJs53ZBHra3tkeoeJzTvmVtzE5PmNOwQEfV4gwCPsAY=
=5weu
-----END PGP SIGNATURE-----