CVE-2021-31344

Vulnerability

CVE-2021-31344, part of the NUCLEUS:13 set, resides in the ICMP handling of the Nucleus NET TCP/IP stack used in multiple Siemens products [1], [2]. The vulnerability allows an attacker to craft ICMP echo request packets with fake IP options; the vulnerable stack then sends ICMP echo reply messages to arbitrary hosts on the network [1], [2]. Affected products include Capital Embedded AR Classic 431-422 (all versions), Capital Embedded AR Classic R20-11 (versions < V2303), PLUSCONTROL 1st Gen (all versions), SIMOTICS CONNECT 400 (versions < V0.5.0.0 and versions < V1.0.0.0), and potentially others listed in the referenced advisories [1], [4].

Exploitation

An attacker on the same network segment can send a specially crafted ICMP echo request packet with manipulated IP options to a vulnerable device [1], [2]. The attacker does not need authentication. The vulnerable device processes the packet and generates an ICMP echo reply destined for the arbitrary host address injected in the malicious request, effectively causing the device to participate in a reflected traffic attack [1], [2].

Impact

Successful exploitation enables the attacker to use the vulnerable device as an amplifier to send ICMP echo reply traffic to a target of their choice on the network [1], [2]. This can result in traffic flooding, potentially leading to denial-of-service conditions or network resource exhaustion. The impact is limited to the local network segment unless the device can route the replies further [1].

Mitigation

Siemens has released updates for some affected products: for SIMOTICS CONNECT 400, update to V0.5.0.0 or later (for versions < V0.5.0.0) or to V1.0.0.0 or later (for versions < V1.0.0.0) [1], [4]. For PLUSCONTROL 1st Gen (all versions) no remediation is currently planned; Siemens recommends isolating those devices in a separate LAN segment and applying general security best practices [3]. For other products, refer to the respective advisory for specific workarounds [1], [2].