CVE-2021-31883
Description
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303). When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0013)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing length check in the DHCP client of Nucleus RTOS-based Siemens products causes a Denial-of-Service when processing a crafted DHCP ACK message.
Vulnerability
In Siemens Capital Embedded AR Classic 431-422 (All versions) and Capital Embedded AR Classic R20-11 (All versions < V2303), the DHCP client application does not validate the length of the Vendor option(s) inside a DHCP ACK message [1]. This missing length validation is part of a set of vulnerabilities in the Nucleus RTOS TCP/IP stack known as "NUCLEUS:13" [2]. The affected products use versions of Nucleus NET that lack proper bounds checking for certain DHCP options. No special configuration is required; the DHCP client is enabled by default in these embedded systems.
Exploitation
An attacker must be on the same network segment as the target device (or be able to spoof DHCP replies) and send a malicious DHCP ACK message with a Vendor option that specifies an invalid or oversized length. The DHCP client processes the message without verifying that the claimed length matches the actual remaining buffer space [1]. The attack does not require authentication, user interaction, or any special privileges. A single crafted packet triggers the vulnerability.
Impact
Successful exploitation leads to a Denial-of-Service condition on the target device. The DHCP client may crash or enter an infinite loop, causing the device to become unresponsive. The attacker can disrupt the availability of the affected system, which may be used in building automation or control environments [1][2]. There is no indication that code execution or information disclosure is achievable through this specific vulnerability.
Mitigation
For Capital Embedded AR Classic R20-11, Siemens has released version V2303 which fixes the issue [1]. All users should update to V2303 or later. For Capital Embedded AR Classic 431-422, currently no fix is planned, and Siemens recommends applying general countermeasures as described in the advisory [1]. No workaround other than network segmentation (e.g., disabling DHCP if not needed, using VLANs, or restricting broadcast access) is provided. This CVE is part of the "NUCLEUS:13" vulnerability set, and related products may have separate updates or mitigations [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: All versions
- Range: < V2303
- Siemens/Capital Embedded AR Classic 431-422v5Range: 0
- Siemens/Capital Embedded AR Classic R20-11v5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- cert-portal.siemens.com/productcert/pdf/ssa-044112.pdfmitrex_refsource_MISC
- cert-portal.siemens.com/productcert/pdf/ssa-114589.pdfmitrex_refsource_MISC
- cert-portal.siemens.com/productcert/pdf/ssa-620288.pdfmitrex_refsource_MISC
- cert-portal.siemens.com/productcert/html/ssa-044112.htmlmitre
- cert-portal.siemens.com/productcert/html/ssa-114589.htmlmitre
- cert-portal.siemens.com/productcert/html/ssa-620288.htmlmitre
News mentions
0No linked articles in our index yet.