RESEARCH REPORT | NUCLEUS:13

NUCLEUS: 13
Dissecting the Nucleus TCP/IP stack
By Forescout Research Labs & Medigate Labs

Forescout Research Labs

Daniel dos Santos
Stanislav Dashevskyi
Amine Amri

Medigate Labs
Uriel Malin
Tal Zohar
Yuval Halaban
RESEARCH REPORT | NUCLEUS:13

Table of Contents

1. Executive Summary.......................................................................................................3
2. Main Findings.................................................................................................................5
2.1. What is Nucleus NET?................................................................................................5

2.2. Why analyze Nucleus NET?........................................................................................5

2.3. Analysis and findings................................................................................................6

3. Attack Scenarios Leveraging NUCLEUS:13.................................................................7

3.1. Scenario 1: hacking the hospital..................................................................................7

3.2. Scenario 2: crashing the trains....................................................................................9

4. Impact...........................................................................................................................10
5. Mitigation Recommendations...................................................................................14
6. Technical Dive-In: Exploiting CVE-2021-31886........................................................15
6.1. Root cause analysis..................................................................................................16

6.2. Exploiting a QEMU image.........................................................................................17

6.3. Exploiting a WAGO 750-852......................................................................................23

7. Conclusions..................................................................................................................27

FORESCOUT RESEARCH LABS

RESEARCH REPORT | NUCLEUS:13 | Executive Summary
1. Executive Summary
• In the fifth study of Project Memoria –
NUCLEUS:13 – Forescout Research Labs and
Medigate Labs identified a set of 13 new
vulnerabilities affecting the Nucleus TCP/IP
stack.
• Nucleus is currently owned by Siemens.
Originally released in 1993, Nucleus has
been deployed in many industries that
have safety and security requirements,
such as medical devices, automotive and
industrial systems.
• Upon identifying new vulnerabilities,
Forescout Research Labs and Medigate Labs
collaborated with Siemens, CISA, CERT/CC
and other agencies to confirm the findings
and notify vendors.
• According to the Siemens website, Nucleus
is deployed in three billion devices.
Anesthesia machines, ventilators and
patient monitors are among the medical
devices possibly impacted by NUCLEUS:13.
FORESCOUT RESEARCH LABS
• The new vulnerabilities allow for Remote
Code Execution or Denial of Service, with
three of the thirteen new vulnerabilities
being critical and having CVSS scores of
either 9.8 or 8.8.
• Forescout Research Labs and Medigate
Labs exploited one of the Remote Code
Execution vulnerabilities in their labs and
demonstrated that a successful attack could
potentially disrupt medical care and other
critical processes.
• Two of the recommended mitigations
for NUCLEUS:13 include using network
segmentation to limit the network
exposure of critical vulnerable devices
and patching devices as vendors release
their patches. Some vulnerabilities can
also be mitigated by blocking or disabling
support for unused protocols, such as FTP.
3
RESEARCH REPORT | NUCLEUS:13 | Executive Summary
INFORMATIONAL
A recap on TCP/IP stacks
and Project Memoria
A TCP/IP stack is a piece of software that
implements basic network communication for
all IP-connected devices, including Internet
of Things (IoT), operational technology (OT)
and information technology (IT). Not only
are TCP/IP stacks widespread, they are
notoriously vulnerable due to (i) codebases
created decades ago and (ii) an attractive
attack surface, including protocols that cross
network perimeters and an abundance of
unauthenticated functionality.
Given the impact of these foundational
components, Forescout Research Labs has
launched Project Memoria with the goal of
collaborating with industry peers and research
institutes to provide the cybersecurity
community with the largest analysis of the
security of TCP/IP stacks.
The latest examples of TCP/IP stack
vulnerabilities include:
• Ripple20, a set of 19 vulnerabilities on the
Treck TCP/IP stack, disclosed by JSOF in June
2020. Forescout Research Labs worked in
close collaboration with JSOF to identify
vendors and devices potentially affected by
Ripple20.
FORESCOUT RESEARCH LABS
• AMNESIA:33, a set of 33 vulnerabilities
affecting four open-source TCP/IP stacks,
disclosed in December 2020 by Forescout
Research Labs.
• NUMBER:JACK, a set of nine vulnerabilities
affecting the Initial Sequence Number
(ISN) implementation in nine TCP/IP stacks,
disclosed in February 2021 by Forescout
Research Labs.
• NAME:WRECK, a set of nine vulnerabilities
affecting DNS clients of four TCP/IP stacks,
disclosed in April 2021 by Forescout
Research Labs and JSOF.
• INFRA:HALT, a set of 14 vulnerabilities
affecting InterNiche’s NicheStack, disclosed
in August 2021 by Forescout Research Labs
and JFrog Security Research.
• NUCLEUS:13, a set of 13 vulnerabilities
affecting Siemens’ Nucleus TCP/IP stack,
disclosed in October 2021 by Forescout
Research Labs and Medigate Labs.
4
RESEARCH REPORT | NUCLEUS:13 | Main Findings

2. Main Findings
2.1. What is Nucleus NET? 2.2. Why analyze Nucleus NET?
Nucleus NET is the TCP/IP stack of the Nucleus We chose to analyze Nucleus NET because of
Real-time Operating System (RTOS). The stack its known uses in safety-critical applications,
and the RTOS were originally developed by as described above. Nucleus NET was the
Accelerated Technology, Inc. (ATI) in 1993, target of previous analyses in Project Memoria,
then acquired by Mentor Graphics in 2002 and during both NUMBER:JACK and NAME:WRECK.
finally by Siemens in 2017. Since its original Siemens also published two CVEs affecting the
release 28 years ago, Nucleus has been IPv6 components of the stack in 2021, which
deployed in many industries that have safety are similar to some issues seen on AMNESIA:33.
and security requirements, such as medical Table 1 summarizes the previously known
devices, automotive and industrial systems. vulnerabilities affecting Nucleus NET.
Nucleus is currently distributed as:
Since we had already analyzed Nucleus NET
• ReadyStart: Containing source code, a for specific vulnerabilities in NUMBER:JACK
suite of tools for development and analysis, and NAME:WRECK (TCP ISN generation and
middleware, board support packages (BSPs) DNS client, respectively), we investigated other
and examples components of the stack that we had access to.
• SafetyCert: A certified version of the
kernel with runtime libraries, connectivity
middleware, networking and data storage.
The certification package includes source
code and documentation with traceability
and hyperlinks for easier safety reviews
CVE IDs Description/Comment
DHCP client vulnerability allows attackers to change the IP address of a device to an invalid
CVE-2019-13939 value. Besides Nucleus, it also affects several devices in the APOGEE, TALON and Desigo lines
of building automation products
CVE-2020-15795
CVE-2020-27009
CVE-2020-27736
Set of DNS client vulnerabilities
CVE-2020-27737
Part of Project Memoria’s NAME:WRECK
CVE-2020-27738
CVE-2021-25677
CVE-2021-27393
Predictable TCP ISN vulnerability
CVE-2020-28388
Part of Project Memoria’s NUMBER:JACK
CVE-2021-25663
IPv6 vulnerabilities, similar to AMNESIA:33
CVE-2021-25664

Table 1 – Previously known vulnerabilities on Nucleus NET

FORESCOUT RESEARCH LABS 5

RESEARCH REPORT | NUCLEUS:13 | Main Findings

2.3. Analysis and findings We performed only a manual analysis of the

We performed a deeper analysis of two stack on both the source code and binary
versions of the stack: incomplete source versions. Table 2 shows the vulnerabilities that
code of version 4.3 (which we had analyzed we discovered.
in NUMBER:JACK and NAME:WRECK); and a
As shown in Table 2, most of the vulnerabilities
binary demo containing a newer version. In
allow for denial of service, while three allow
those versions, we analyzed the following stack
for remote code execution, a topic explored in
components: IPv4, ICMP, TCP, UDP, DHCP
subsequent sections of this report.
client, TFTP server and FTP server.

Affected Potential CVSSv3.1

CVE ID Description Component Impact Score
2021- ICMP echo packets with fake IP options allow sending ICMP echo reply messages Confused
ICMP 5.3
31344 to arbitrary hosts on the network. deputy
The total length of an UDP payload (set in the IP header) is unchecked. This may
2021- lead to various side effects, including Information Leak and Denial-of-Service Application-
UDP 7.5
31345 conditions, depending on a user-defined application that runs on top of the UDP dependent
protocol.
The total length of an ICMP payload (set in the IP header) is unchecked. This may
2021- Information
lead to various side effects, including Information Leak and Denial-of-Service IP / ICMP 8.2
31346 leak / DoS
conditions, depending on the network buffer organization in memory.
When processing a DHCP OFFER message, the DHCP client application does
2021-
not validate the length of the Vendor option(s), leading to Denial-of-Service DHCP client DoS 7.1
31881
conditions.
The DHCP client application does not validate the length of the Domain Name
2021-
Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to DHCP client DoS 6.5
31882
Denial-of-Service conditions.
When processing a DHCP ACK message, the DHCP client application does
2021-
not validate the length of the Vendor option(s), leading to Denial-of-Service DHCP client DoS 7.1
31883
conditions.
The DHCP client application assumes that the data supplied with the “Hostname”
2021- DHCP option is NULL terminated. In cases when global hostname variable is Application-
DHCP client 8.8
31884 not defined, this may lead to Out-of-Bound reads, writes and denial-of-service dependent
conditions.
2021- TFTP server application allows for reading the contents of the TFTP memory Information
TFTP server 7.5
31885 buffer by sending malformed TFTP commands. leak
FTP server does not properly validate the length of the “USER” command, leading
2021-
to stack-based buffer overflows. This may result in Denial-of-Service conditions FTP server RCE 9.8
31886
and Remote Code Execution.
FTP server does not properly validate the length of the “PWD/XPWD” command,
2021-
leading to stack-based buffer overflows. This may result in Denial-of-Service FTP server RCE 8.8
31887
conditions and Remote Code Execution.
FTP server does not properly validate the length of the “MKD/XMKD” command,
2021-
leading to stack-based buffer overflows. This may result in Denial-of-Service FTP server RCE 8.8
31888
conditions and Remote Code Execution.
2021- Malformed TCP packets with a corrupted SACK option leads to Information Leaks
TCP server DoS 7.5
31889 and Denial-of-Service conditions.
The total length of an TCP payload (set in the IP header) is unchecked. This may
2021-
lead to various side effects, including Information Leak and Denial-of-Service TCP server DoS 7.5
31890
conditions, depending on the network buffer organization in memory.
Table 2 – Discovered vulnerabilities. Rows are colored according to the CVSS score: yellow for medium or high and red for critical.

FORESCOUT RESEARCH LABS 6

RESEARCH REPORT | NUCLEUS:13 | Attack scenarios leveraging NUCLEUS:13
Siemens has released patches for all the
vulnerabilities. Approximately half had already
been patched in existing versions of the stack
but never issued CVE IDs.
As we have seen in NAME:WRECK with CVE-
2016-20009 (which we independently found
on IPnet and had never been publicly reported
with a CVE ID), vulnerabilities in TCP/IP stacks
that have been silently patched may still affect
several devices. In the case of CVE-2016-20009
(whose ID indicates original discovery year of
2016), there were several advisories released
3. Attack Scenarios
Leveraging NUCLEUS:13
NUCLEUS:13 includes remote code execution
and denial-of-service vulnerabilities that can
be exploited by attackers to achieve different
goals based on their motivations, such as to
gain a foothold into a network or wreak havoc.
In this section, we discuss two examples of
attack scenarios that affect different industries
but leverage the same FTP-based exploitation
(detailed in Section 6).
A video showing both attacks as implemented
in our lab can be found here.
3.1. Scenario 1: hacking the hospital
Although connected medical devices are
currently (and justifiably) the focus of
much cybersecurity discussion, Forescout
FORESCOUT RESEARCH LABS
in 2021 (after the NAME:WRECK disclosure)
that listed critical vulnerable devices, such
as Siemens gas turbines, BD Alaris infusion
pumps and GE healthcare devices.
NUCLEUS:13 is the same, and in Section 6,
we discuss exploitation using one of the CVEs
that had been previously patched (CVE-2021-
31886) but still impacted devices with current
firmware.
Research Labs has shown that other types
of IoT devices, including building automation
controllers, figure prominently among those
most impacted by TCP/IP stack vulnerabilities
in healthcare organizations. The same holds
true for NUCLEUS:13, which impacts medical
devices, building automation devices and
other types of OT and IoT devices (discussed in
Section 4).
Building automation devices are used in
hospitals to control functions such as physical
access control, fire alarm systems, lighting
and HVAC (heating, ventilation and air
conditioning). These functions are not directly
connected to patients, but they are critical to
delivering patient care.
7
RESEARCH REPORT | NUCLEUS:13 | Attack scenarios leveraging NUCLEUS:13
HVAC systems, for instance, maintain
temperature, humidity and air quality
throughout a hospital as dictated by
regulations. Changing some of these
parameters can have disastrous consequences:
reduced ventilation can increase the spread
of airborne diseases, such as COVID-19; and
drastic changes in temperature can render
operating rooms unusable or spoil biological
samples.
Figure 1 – Attack implemented in the lab
In this scenario, a motion sensor, a light bulb
and a model fan are connected to a building
automation controller. When someone
enters a patient’s room, the fan and lights
switch on automatically, and they switch off
automatically when the person leaves the
room. An attacker can crash the controller by
sending a crafted FTP packet that exploits CVE-
2021-31886 (or any other DoS in NUCLEUS:13).
When the attack is successful, the fan
and lights stop working, thus creating an
environment where patient care is hindered.
FORESCOUT RESEARCH LABS
To demonstrate how an attacker could
leverage NUCLEUS:13 to disrupt the normal
functioning of a hospital’s building automation
systems, and thus impair patient care, we have
implemented in our lab the scenario shown in
Figure 1.
Since the exploited vulnerability allows for
code execution (discussed in Section 6), this
attack could be extended to allow the attacker
to change temperature setpoints, control logic
and other variables in the controller. He could
also use the compromised device to issue
malicious commands to other devices in the
hospital. The main difference is that those
attacks would be highly targeted to a specific
environment (i.e., a particular hospital with a
particular set of controllers and logic), whereas
the denial of service works against several
targets, making it an easily commoditized asset
for cyber criminals).
8
 RESEARCH REPORT | NUCLEUS:13 | Attack scenarios leveraging NUCLEUS:13

3.2. Scenario 2: crashing the trains in which operation is automated and an

Recently, railway infrastructure providers attendant remains on board in case of
around the world have been under attack, emergencies, and unattended train operation
including a ransomware incident in Germany (UTO) whereby operation is fully automated
in 2017, a DDoS attack in Denmark in 2018 without any on-board staff.
and a politically motivated hack of Iranian
The devices affected by NUCLEUS:13 are
Railways systems in July 2021. What these
not used only for healthcare and building
attacks have in common is that they impacted
automation. For example, the WAGO
the IT systems of the targeted organizations,
controllers which we exploited (see Section 6)
not their operational technology. However,
are also part of railway infrastructure, anything
as Check Point researchers mentioned in
from station automation to train maintenance
their analysis: “the extent and sophistication
and track signaling.
of attacks in general is still a fraction of its
To demonstrate how an attacker could
complete potential; oftentimes, threat actors
leverage NUCLEUS:13 to disrupt the normal
don’t do X, Y, Z even though they perfectly well
functioning of an automated train system, and
could.”
thus create the potential for major collisions,
Railways and trains are increasingly
we have implemented in our lab the scenario
automated, with grades of automation that
shown in Figure 2.
include driverless train operation (DTO)

Figure 2 – Attack implemented in the lab

FORESCOUT RESEARCH LABS 9

RESEARCH REPORT | NUCLEUS:13 | Impact
In this scenario, a presence sensor and a
train model are connected to an automation
controller placed at a station. When the
sensor detects that the train is at the station,
it controls the train to stop for a certain period
of time, after which the train automatically
continues its journey. An attacker can crash
4. Impact
In this section, we estimate the impact of
NUCLEUS:13 based on the evidence collected
during our research, using three main sources:
• The official Nucleus website, which states
that the RTOS is deployed in more than
three billion devices. A review of customer
success stories reveals its use in scenarios
such as healthcare (ZOLL defibrillators and
ZONARE ultrasound machines), IT (BDT
AG storage systems) and critical systems
(Garmin avionics navigation). Yet, we believe
Figure 3 – Documentation of a GE S/5 Avance Anesthesia Machine showing the use of Nucleus RTOS
FORESCOUT RESEARCH LABS
the controller by sending the same FTP packet
that exploits CVE-2021-31886 described above
(or any other DoS in NUCLEUS:13). When the
attack is successful, the train will not stop at
the station, and thus can collide with another
train, people or other objects on the track.
that most of those three billion devices are
actually device components such as MediaTek
IoT chipsets and baseband processors used
in smartphones and other wireless devices.
We also found technical documentation
detailing the use of Nucleus for medical
devices, such as the GE S/5 Avance
Anesthesia Machine (shown in Figure 3) and
the Nihon Kohden Bedside Monitor (shown
in Figure 4).
10
RESEARCH REPORT | NUCLEUS:13 | Impact
Figure 4 – Documentation of a Nihon Kohden patient monitor detailing an error message caused by Nucleus
• Shodan Queries. Shodan is a search
engine that allows users to look for devices
connected to the Internet. We queried
Shodan, looking for devices showing some
evidence (e.g., application-layer banners)
indicating the use of Nucleus. As shown in
Figure 5 and Figure 6, with a query executed
on 05/Aug/2021, we found more than
2,200 instances of devices running the
Nucleus FTP server (“220 Nucleus FTP”)
or the RTOS (“Operating System: Nucleus
PLUS”).
FORESCOUT RESEARCH LABS
Interestingly, these are the same queries we
used during the NAME:WRECK research, and
they show a decrease of 13% of FTP servers
and 25% of exposed devices running the
RTOS. We believe this is a direct positive effect
of NAME:WRECK, which most likely brought
increased attention to securing publicly exposed
embedded devices.
11
RESEARCH REPORT | NUCLEUS:13 | Impact
Figure 5 – Exposed devices running Nucleus FTP
(“220 Nucleus FTP”)
• Forescout Device Cloud. Forescout Device
Cloud is a repository of information for
about 13+ million devices monitored by
Forescout appliances. We queried it for
similar banners to Shodan, as well as other
information, based on DHCP signatures, for
FORESCOUT RESEARCH LABS
Figure 6 – Exposed devices running Nucleus RTOS (“Operating System:
Nucleus PLUS”)
instance. We found close to 5,500 devices
from 16 vendors in place at 127 customers.
Thirteen of these customers had more than
100 vulnerable devices, with healthcare
being the most impacted sector
(see Figure 7).
12
RESEARCH REPORT | NUCLEUS:13 | Impact

Figure 7 – Device functions running Nucleus (source: Forescout Device Cloud)

Figure 8 – Devices running Nucleus in each vertical (source: Forescout Device Cloud)

As we have done with our previous research, to vendors impacted by NUCLEUS:13 on our
we will maintain a list of advisories related GitHub page.

FORESCOUT RESEARCH LABS 13

RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations

5. Mitigation Recommendations
Complete protection against NUCLEUS:13
requires patching devices running the
vulnerable versions of Nucleus. Siemens
has released its official patches, and device
vendors using this software should provide
their own updates to customers. Below, we
discuss mitigation strategies for network
operators.
Given that patching the embedded devices
is notoriously difficult (due to their mission-
critical nature), we recommend the following
mitigation strategy:
• Discover and inventory devices running
Nucleus. Forescout Research Labs has
released an open-source script that uses
active fingerprinting to detect devices
running Nucleus. The script is updated
constantly with new signatures to follow the
latest development of our research.
CVE Affected Component
2021-31885
2021-31886
FTP / TFTP server
2021-31887
2021-31888
2021-31881
2021-31882
DHCP client
2021-31883
2021-31884
• Enforce segmentation controls and
proper network hygiene to mitigate
the risk from vulnerable devices. Restrict
external communication paths and isolate
or contain vulnerable devices in zones as a
mitigating control if they cannot be patched
or until they can be patched.
• Monitor progressive patches released
by affected device vendors and devise a
remediation plan for your vulnerable asset
inventory, balancing business risk and
business continuity requirements.
• Monitor all network traffic for malicious
packets that try to exploit known
vulnerabilities or possible zero-days. You
should block anomalous and malformed
traffic, or at least alert its presence to
network operators.
Table 4 provides recommended mitigations for
each vulnerability.
Mitigation Recommendation
Disable FTP/TFTP if not needed, or whitelist connections.
Use switch-based DHCP control mechanisms: protocol-aware network switches may
be configured to block DHCP responses from rogue servers (“DHCP snooping”)1.
Alternatively, firewalls can be configured in a similar fashion. As a last resort, use static IP
addresses.

2021-31344
2021-31345
Monitor traffic for malformed packets and block them. Having a vulnerable device behind
2021-31346 TCP / UDP / IP / ICMP
a properly configured firewall should be sufficient.
2021-31889
2021-31890

Table 4 – Mitigation recommendations for specific vulnerabilities

1 See https://kb.isc.org/docs/aa-00573

FORESCOUT RESEARCH LABS 14

RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations
TECHNICAL DIVE-IN
6. Technical Dive-In:
Exploiting CVE-2021-31886
There are three vulnerabilities in NUCLEUS:13
that allow for Remote Code Execution: CVE-
2021-31886, CVE-2021-31887 and CVE-2021-
31888. All three vulnerabilities affect the
default FTP server application shipped with the
Nucleus TCP/IP stack. In this section, we will
focus on CVE-2021-31886: unchecked input
size of the USER command.
At a high level, to trigger CVE-2021-31886,
attackers perform authentication attempts
on the affected FTP server, sending the FTP
“USER” command with a username that is
larger than the internal buffer designated to
hold the input of this command (note that the
actual size of this buffer may vary). Sending
a large enough username results in a stack-
based buffer overflow, allowing performance
of controlled writes into the memory of
the affected device, hijacking the execution
flow and executing attackers’ code with few
FORESCOUT RESEARCH LABS
constraints. Note that the exploitation does
not require any authentication on the target,
as the vulnerability is triggered for any input of
the “USER” command that has a specific length.
The vulnerability is detailed in Section 6.1, and
the exploitation details are outlined in Sections
6.2 and 6.3.
Important note on exploitability: Some of the
technical details of the exploitation are specific
to the hardware/firmware being exploited,
including the presence of specific components
of the affected TCP/IP stack and the absence
of exploit mitigations. Some of the details
discussed below may be specific to the chosen
targets (QEMU image based on Nucleus Ready
Start for NXP i.MX28 evaluation software, and
WAGO 750-852 PLC with firmware version
“01.07.21 (14)”, respectively).
15
RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations

TECHNICAL DIVE-IN

6.1. Root cause analysis

The root cause of CVE-2021-31886 lies within The code fails to ensure that the buffer
the FSP_Server_USER() function that parses server->user that holds the supplied
the FTP “USER” command (shown in Figure 9). username is not overflown by the input.

Figure 9 – An excerpt from the FSP_Server_USER() function (CVE-2021-31886)

Figure 10 – Pseudocode excerpts from “FTP_SERVER”,

“NU_EVENT_GROUP” and “CS_NODE” structures

FORESCOUT RESEARCH LABS 16

RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations
TECHNICAL DIVE-IN
The server variable is a pointer to a variable
that holds the FTP_SERVER structure (shown
in Figure 10). The server->replyBuff field
holds the contents of the input buffer (in
this case, the entire “USER” command). In
our case, the contents of server->replyBuff
are expected to be of the following format:
“USER\x20username\x0d\x0a\x00”, where
the command “USER” is followed by a space
character (0x20), the “\r\n” characters and a
null terminator (0x00) that signifies the end of
the input string.
The username is then copied from
server->replyBuff into server->user (lines
21-24 in Figure 9). This code will copy a
sequence of characters (up to 250) until the
first occurrence of the ‘\r’ character (0x0d or
13 in ASCII). It will finally add a null-terminator
to server->user (line 26 of Figure 9). Note, that
server->user is, in fact, only 32-bytes long (see
Figure 10).
At line 7 of Figure 9, the code checks whether
the input string server->replyBuff is not
larger than 38 characters, using the strlen()2
function. The expected contents of this buffer
are as follows: four characters for the string
2 strlen() returns the length of a byte sequence until the first 0x00 byte is encountered.
FORESCOUT RESEARCH LABS
“USER”, one space character, 31 characters
of username and the two “\r\n” characters.
However, if we place a null-terminator in an
arbitrary place within server->replyBuff such
that strlen() returns a value less than 38, we
can still copy a longer string into server->user,
provided that we place the “\r” character at a
desired offset.
In this way, we can overflow server->user, the
remaining fields of the FTP_SERVER structure
as well as some local variables and the
metadata of a stack frame, where FTP_SERVER
is declared (server happens to be a pointer to
a local variable declared in the Control_Task()
function). In essence, this is a stack-based
buffer overflow vulnerability.
6.2. Exploiting a QEMU image
In this Section, we describe the exploitation
details, based on a QEMU image built for
Nucleus Ready Start for NXP i.MX28 evaluation
software. We also managed to exploit this
vulnerability on a WAGO 750-852 PLC, which is
explained in Section 6.3.
17
RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations

TECHNICAL DIVE-IN

The exploitation strategy involved the
following steps:
1. Patch the address of the input buffer (e.g.,
the buffer that stores the “USER” command),
so that it points to a different memory
location: This allows the attacker to have
longer shellcode (we can upload only
218 bytes of shellcode at a time). This also
helps to avoid overwriting the shellcode
(e.g., by buffer deallocation and other
FTP commands).
2. Prepare the shellcode and upload it to a
desired location within the memory.
3. Redirect the execution flow to the shellcode.
Figure 11 shows a pseudocode excerpt from
the Control_Task() function, which is an
RTOS task that is responsible for handling FTP
sessions. This function contains important local
variables: FTP_SERVER server that contains a
field user, which we intend to overflow; and
CHAR *buffer, which is a pointer to the buffer
that contains the raw user input (it will be later
copied into server->replyBuff).

Figure 11 – An excerpt from the Control_Task() function

FORESCOUT RESEARCH LABS 18

RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations
TECHNICAL DIVE-IN
At this point, we can construct such input
that will overflow the server->user field,
overwriting the fields of server past the
server->user field, as well as the local
variables in Control_Task() past server.
We could also overwrite the return address
of Control_Task() at this point and hijack
the execution flow. However, we incur two
problems: (1) we still need to store our
Figure 12 – A chosen memory location for the shellcode
Our first goal is to find an executable region
of memory to store the shellcode. For this
purpose, we have chosen the address
0x000b22bc located in the .bss segment (this
memory segment happens to be marked
Figure 13 – The span_process_packet callback
3 Have a look at this blog post from CircuitsToday.com for a short overview of RTOS concepts.
FORESCOUT RESEARCH LABS
shellcode in some unused memory region
where more space is available; (2) since
Control_Task() is an RTOS task3, it runs in an
infinite loop and will not return as a traditional
C function; therefore, overwriting the return
address will at best cause a Denial-of-Service
under certain conditions but will not allow us
to hijack the execution flow in a useful way.
as writable in our case). Figure 12 shows an
excerpt from this segment. It contains several
static variables which are not used in the
context of the FTP server and therefore is a
good location for our shellcode.
19
RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations

TECHNICAL DIVE-IN

Since we cannot easily overwrite the return
address of Control_Task(), we must resort
to other means for redirecting the execution.
We have found several function pointers
declared in the .bss memory segment. One
of them is called span_process_packet and it
is set to zero by default. Figure 13 shows that
span_process_packet is a callback pointer,
and if the pointer contains a non-zero address
(it is supposed to be a function address), this
callback will be triggered when a particular LLC
frame is received. Therefore, if we overwrite
the span_process_packet pointer with the
address of our shellcode and send the LLC
frame4 that meets the right conditions, the
shellcode will be executed.
To achieve this, we establish our first FTP
session with the target device and send a
malformed USER command with the
following bytes:

The payload contains the following bytes: • The address of the shellcode (0x000b22c4,
• The “USER” command followed by a space big endian), the address of the span_
character (0x20) process_packet pointer (0x00b14f8, big
• Several dummy bytes that overflow the field endian)
server->user. Note that we have also placed When the field server->user is overwritten, we
a null-terminator (0x00) in the middle of will write the two addresses into the first eight
the input, so that the input length checks bytes of the server->FTP_Events field (see
(shown on Figure 9) will be circumvented. Figure 10; the addresses are marked in red
and green):

4 A Logical-Link Control (LLC) frame with the bytes 0x0026 or 0x0007 set in place of the ETHERTYPE/LENGTH field (bytes 13 and 14)
of the Ethernet header

FORESCOUT RESEARCH LABS 20

RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations
TECHNICAL DIVE-IN
These addresses will, essentially, be written
into the fields of the ev_created variable
enclosed into server->FTP_events.
After these addresses are written, we close
the FTP session by sending a TCP RST packet.
When the session is closed, Control_Task() will
eventually call the NU_Remove_From_List()
function (shown in Figure 14). This function will
remove the current FTP event node from the
FTP event list (lines 9-10).
Figure 14 – The NU_Remove_From_List() function
Next, we establish a new FTP session and
attempt to patch the buffer pointer and to
write our shellcode at the desired location. To
patch the address of buffer, we use the same
technique as before. As buffer lies at the offset
FORESCOUT RESEARCH LABS
At this time, the pointers node->cs_previous
and node->cs_next are the same as server-
>FTP_Events->ev_created->cs_previous and
server->FTP_Events->ev_created->cs_next,
and they point to the desired shellcode address
and the address of span_process_packet
pointer, respectively. After the code on line 10 is
executed, we overwrite the value of the span_
process_packet pointer with our shellcode
address, which means that now this callback
is initialized, and whenever it is invoked, the
shellcode will be executed.
of 52 bytes from the end of server->user, we
simply construct an FTP user command that
contains the new address of buffer at the
required offset.
21
RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations
TECHNICAL DIVE-IN
Note that after the USER command is handled
and the execution returns to Control_Task(),
Note that this time, we are supplying the
address 0x000b22bc, which is different from
the shellcode address 0x00b22c4 that we set
during the previous step. This is because we
are patching the raw input buffer. Apart from
the user-supplied contents, it will include the
entire FTP command that starts with “USER\
x20”. Therefore, we will structure our input as
“USER\x20\x00\x00\x00[shellcode]” and skip the
first eight bytes to jump directly at the first
byte of the shellcode.
FORESCOUT RESEARCH LABS
buffer points to the address that we now
control:
It is important that, at this time, we do not
close the current FTP session. Otherwise,
Control_Task() will allocate a new input buffer
pointer, and all the work we have done so far
will be lost. Therefore, to supply the shellcode,
we immediately follow with another USER
command that will be written into the memory
starting at address 0x000b22bc. This time, it
contains the following shellcode:
22
RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations
TECHNICAL DIVE-IN
Finally, we send an LLC frame that meets the
requirements for triggering the span_process_
packet callback, and the shellcode gets
6.3. Exploiting a WAGO 750-852
The exploitation of CVE-2021-31886 in the
WAGO 750-852 PLC is similar to the QEMU
image exploitation. That is, we overflow the
server structure to have our shellcode residing
at a stable location pointed to by the buffer
variable and calling it afterwards through
a patched span_process_packet function
pointer.
After having a first payload running through
span_process_packet (called “stage 0”), we
aimed at loading a second payload (“stage 1”)
FORESCOUT RESEARCH LABS
executed. In this case, our shellcode simply
prints a line to the serial console of
the QEMU VM.
because of the size limitations that constrain
stage 0. To do so, we needed to make
stage 0 patch another function pointer ppe_
process_packet to point at a location which
we dynamically allocated. Whenever stage
0 gets triggered again, it will copy shellcode
fragments which we sent within the LLC frame
to be reassembled at the location pointed at by
ppe_process_packet. This pointer is another
callback (similar to span_process_packet)
which is called at the function EightZeroTwo, as
follows:
23
RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations
TECHNICAL DIVE-IN
The stage 0 shellcode is illustrated in
Figure 15. It allocates the memory for
stage 1 shellcode on lines 34-39. Whenever
stage 0 gets executed, it copies the fragments
of stage 1 shellcode in the right order and into
a designated memory location (lines 66-72).
FORESCOUT RESEARCH LABS
Once the entire stage 1 shellcode is copied and
is in good order (ensured by the checksum),
we patch the ppe_process_packet pointer to
point at the beginning of stage 1 shellcode
(lines 53-64).
24
RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations

TECHNICAL DIVE-IN

Figure 15 – stage 0 shellcode

FORESCOUT RESEARCH LABS 25

RESEARCH REPORT | NUCLEUS:13 | Mitigation Recommendations

TECHNICAL DIVE-IN

When this is done, we trigger the ppe_process_
packet callback by sending a crafted Point-to-
Point Protocol over Ethernet (PPOE) frame.
The stage 1 shellcode accesses the filesystem
of the WAGO PLC, changing the HTML code
of a particular page used in the embedded
webserver. The effect of this change is shown
in Figure 16 (normal operation) and Figure 17
(after exploiting CVE-2021-31886).

Figure 16 – Web page as it appears normally in WAGO 750-852

Figure 17 – A defaced web page in WAGO 750-852

FORESCOUT RESEARCH LABS 26

RESEARCH REPORT | NUCLEUS:13 | Conclusion
7. Conclusions
In this report, we discussed NUCLEUS:13, a set
of 13 vulnerabilities affecting the Nucleus TCP/
IP stack, currently owned by Siemens and used
in billions of devices. The vulnerabilities include
three RCEs, which we managed to exploit in
our labs as discussed in Section 3. We saw
evidence of the stack running in industrial
controllers, building automation equipment,
and medical devices.
We strongly believe that the threat landscape
for every type of connected device is changing
fast, with an ever-increasing number of severe
vulnerabilities and attackers being motivated
FORESCOUT RESEARCH LABS
by financial gains more than ever. This is
especially true for operational technology and
the Internet of Things. The expanded adoption
of these types of technology by every type of
organization, and their deep integration into
critical business operations, will only increase
their value for attackers over the long term.
With this context in mind, Forescout Research
Labs and Medigate Labs look forward to
analyzing additional software and devices,
driving opportunities for better industry
collaboration and continuing to help secure
the Enterprise of Things.
27