-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-620288: Multiple Vulnerabilities (NUCLEUS:13) in CAPITAL VSTAR Publication Date: 2021-12-14 Last Update: 2021-12-14 Current Version: 1.0 CVSS v3.1 Base Score: 8.8 SUMMARY ======= Multiple vulnerabilities (also known as "NUCLEUS:13") have be identified in the Nucleus RTOS (real-time operating system) and reported in the Siemens Security Advisory SSA-044112: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf. CAPITAL VSTAR uses an affected version of the Nucleus software and inherently contains several of these vulnerabilities. Siemens recommends specific countermeasures for products where updates are not available. AFFECTED PRODUCTS AND SOLUTION ============================== * Capital VSTAR - Affected versions: All versions with enabled Ethernet options - Remediation: Currently no remediation is available See recommendations from section "Workarounds and Mitigations" WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * CVE-2021-31344, CVE-2021-31345, CVE-2021-31346, CVE-2021-31889, CVE-2021-31890: Apply network segmentation and put the ECUs behind properly configured gateways/firewalls * CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable DHCP client functionality, if feature not used, by deselecting the TcpIpIpV4General/TcpIpDhcpClientEnabled Pre-Compile configuration option GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== Capital VSTAR is an efficient implementation of the AUTOSAR standard. It is a complete solution including tools and a software platform to meet engineers' needs, from creating ECU extract updates to software platform configurations. Although not based on Nucleus RTOS, VSTAR includes its networking module, Nucleus NET. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2021-31344 ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. (FSMD-2021-0004) CVSS v3.1 Base Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C CWE: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') * Vulnerability CVE-2021-31345 The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006) CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-1284: Improper Validation of Specified Quantity in Input * Vulnerability CVE-2021-31346 The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007) CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-1284: Improper Validation of Specified Quantity in Input * Vulnerability CVE-2021-31881 When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0008) CVSS v3.1 Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-125: Out-of-bounds Read * Vulnerability CVE-2021-31882 The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. (FSMD-2021-0011) CVSS v3.1 Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer * Vulnerability CVE-2021-31883 When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0013) CVSS v3.1 Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer * Vulnerability CVE-2021-31884 The DHCP client application assumes that the data supplied with the "Hostname" DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions. (FSMD-2021-0014) CVSS v3.1 Base Score: 8.8 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-170: Improper Null Termination * Vulnerability CVE-2021-31889 Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. (FSMD-2021-0015) CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-191: Integer Underflow (Wrap or Wraparound) * Vulnerability CVE-2021-31890 The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017) CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-240: Improper Handling of Inconsistent Structural Elements ADDITIONAL INFORMATION ====================== Products listed in this advisory use Nucleus NET, the networking stack of Nucleus RTOS (Real-time operating system). For more details regarding the vulnerabilities reported for Nucleus RTOS refer to Siemens Security Advisory SSA-044112: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2021-12-14): Publication Date TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmG33oAACgkQlm7gTEmy ujREmg/9ENelzoO0UZ6jiSI9jcL2MUoMYlAU7+0pfdWjCCWMlipTEvILviG+32J6 yEnCDY48BT9MBsNRNrZOTzkMtkf5Jvc6BvDFxnLgxnVHLkKiPz3/QwOcNdQ9PYA6 8Iv44fhdXWRI5c+5pEQaLwtjmo/RWafpuibxwNHGCvp69CWELd3cM0FAkeYFxEi7 P+0kxWLoKpA7RdiP0oH6pwaz0ZmS1lWa7Cqqep6sHh7qUqnHJ/m1CQVgSg4W/7bZ WTI/PTNsDhjuUfBFrZbeBKGOjTTusB/Rv8SZqta+OKoK0jiQc86E1xhWmGwtg5J3 0mnLdnQwBLZqn7+t3yZTEoSdYLypT9lgi1IjtS0NfaiSSWU6PvH+X8wkZfXrKbOe UfKCzuC7feMIRPzzQJF8oehj1cNN5Oyt1l+0p88tIK7Bzd7j/rCD20yEG/UPlNzW XpSAneQXkmGSpD2ZEyHa7mo2rL1UFIdKbN2nxg6xnKwlmv5HMQqpYn1ZszL9zmAy KWCXn2uqQeQHd2vR42s1KSmbj1St/ztCX0ukC++sAUjyOzvA/YG+p5lbsCeKxpl7 YX5i5QWHx5X9KJ1WrQFkVH1nFL0FnDxl0BcEIb/Vg43fF43YmxoYVnz9J/W31ROZ qwgenOueMJs53ZBHra3tkeoeJzTvmVtzE5PmNOwQEfV4gwCPsAY= =5weu -----END PGP SIGNATURE-----