CVE-2021-31345

Vulnerability

CVE-2021-31345 is a vulnerability in the Nucleus NET TCP/IP stack used in Siemens products such as Capital Embedded AR Classic 431-422 (all versions), Capital Embedded AR Classic R20-11 (versions < V2303), PLUSCONTROL 1st Gen (all versions), and other APOGEE, TALON, and Desigo PXC/PXM devices [1][2]. The total length of a UDP payload specified in the IP header is not validated [4]. This unchecked length can cause the system to read beyond the actual packet data, leading to memory disclosure or crashes, depending on the application using UDP [1][4]. Affected versions include all releases of the affected products; Nucleus NET is used across Siemens building automation and energy control products [1][2][3].

Exploitation

An attacker must be able to send a crafted UDP packet to the target device [4]. No authentication is required; the attacker only needs network access to the target (CVSS v3.1 vector indicates attack vector is network, low complexity, no privileges, no user interaction) [4]. The exploitation involves sending a malformed UDP packet where the IP header indicates a payload length larger than the actual data provided by the UDP sender. The receiving device does not verify that the announced length matches the real payload size [4]. This discrepancy triggers out-of-bounds read or memory corruption when the system processes the payload [4].

Impact

Successful exploitation can result in information disclosure (reading memory beyond the packet) or a denial-of-service condition (system crash or resource exhaustion) [1][4]. The CVSS v3.1 base score is 7.5, with high impact on confidentiality and no direct impact on integrity or availability, but the advisory notes that DoS is possible depending on the application [4]. The scope is unchanged, meaning the attacker can affect the target device but not other resources on the network. The vulnerability could allow an attacker to leak sensitive data that may be present in the memory of the device, or to disrupt operations of the UDP-dependent application [1][4].

Mitigation

There is no patch or planned fix for many affected product lines, including Capital Embedded AR Classic 431-422 (all versions), PLUSCONTROL 1st Gen, and multiple APOGEE/TALON devices [1][2][3]. For Capital Embedded AR Classic R20-11, the fix is planned for version V2303 or later [1]. Siemens recommends applying network isolation, firewalls, and restricting network access to trusted hosts as workarounds [1][3]. Products where no fix is planned remain at risk [1][2].