CVE-2021-31882

Vulnerability

The DHCP client application in Capital Embedded AR Classic 431-422 (all versions) and R20-11 (all versions prior to V2303) fails to validate the length of the Domain Name Server IP option (0x06) when processing DHCP ACK packets. This vulnerability stems from improper input validation in the Nucleus RTOS networking stack [2].

Exploitation

An unauthenticated attacker on the same network can send a crafted DHCP ACK packet with a malformed DNS server option to the affected device. The attacker must be able to intercept DHCP traffic or act as a rogue DHCP server. No user interaction is required. The attack exploits the lack of length validation, leading to a memory corruption condition.

Impact

Successful exploitation can cause a denial-of-service (DoS) condition, potentially rendering the device unresponsive. The attack does not require authentication and can be performed remotely from the local network, with a CVSS v3.1 base score of 9.8 [1][2].

Mitigation

As of the advisory publication date (2021-11-09), no patch is available for Capital Embedded AR Classic 431-422. For R20-11, upgrading to V2303 or later is recommended [description]. Workarounds include network segmentation and restricting DHCP server access. Siemens recommends applying general security measures for Nucleus RTOS devices [1][2].