CVE-2021-31889

Vulnerability

CVE-2021-31889 is a vulnerability in the TCP/IP stack of the Nucleus Real-Time Operating System (RTOS) affecting Siemens products: Capital Embedded AR Classic 431-422 (all versions), Capital Embedded AR Classic R20-11 (all versions < V2303), PLUSCONTROL 1st Gen (all versions), and SIMOTICS CONNECT 400 (all versions < V0.5.0.0) [1][2][4]. Malformed TCP packets with a corrupted Selective Acknowledgment (SACK) option trigger the flaw [2]. The bug resides in the Nucleus NET component and is part of the "NUCLEUS:13" set of vulnerabilities [1][2].

Exploitation

An attacker requires network access to send specially crafted TCP packets to an affected device [1][2]. No authentication is needed. The attacker sends a TCP segment with an invalid SACK option, which the vulnerable TCP/IP stack processes incorrectly [2]. This can be done remotely over the network without user interaction.

Impact

Successful exploitation leads to an information leak (reading sensitive memory contents) and a denial-of-service condition (device crash or hang) [1][2]. The CVSS v3.1 base score is 9.8 (Critical) [1][2]. The attacker gains the ability to disrupt device availability and potentially exfiltrate data from the affected product's memory.

Mitigation

Siemens released updates for some products: SIMOTICS CONNECT 400 should be updated to V0.5.0.0 or later [4]; Capital Embedded AR Classic R20-11 should be updated to V2303 [1]. For Capital Embedded AR Classic 431-422 and PLUSCONTROL 1st Gen, no fix is currently planned; Siemens recommends network segmentation and limiting network access as mitigations [1][3]. All affected products should be operated in a protected IT environment following the vendor's general security recommendations [4].