Medical devices at risk from Siemens Nucleus vulnerabilities

Thirteen bugs, including a critical security flaw, have been patched in the Siemens Nucleus TCP/IP stack, a vital component for millions of connected medical devices.

Manufacturers of medical appliances will be scrambling to update their firmware following the disclosure of more than a dozen security vulnerabilities in a critical Siemens software component.

The team at Forescout Technologies said the flaws, dubbed Nucleus:13, expose as many as 3 billion devices to remote attack, most notably bedside and operating room medical appliances.

The culprit for the vulnerabilities is Siemens' Nucleus, a TCP/IP networking software stack that the technology giant now maintains. The software itself dates back to 1993 and is particularly popular in embedded systems, with hundreds of hardware vendors using the stack in some form.

The collection of flaws range from 5.3 (moderate risk) on the Common Vulnerability Scoring System to 9.8 (highly critical) and can allow for everything from denial of service to remote code execution. The most critical of the bugs is CVE-2021- 31886, a remote code execution vulnerability in the Nucleus FTP server blamed on a buffer overflow in the handling of 'USER' commands.

Two other bugs will allow for remote code execution, while six others allow for denial-of-service attacks. Two flaws allow information leaks, and one results in a 'confused deputy' situation. The remaining two CVE entries are application-dependent, meaning the risk will vary depending on how the TCP/IP stack is configured.

In the case of a critical medical device, such as an anesthesia machine or heart monitor, a denial of service can become an extremely dangerous condition, perhaps even more so than flaws that would otherwise be considered more severe in other devices.

While Siemens itself released an update to address the flaws in Nucleus, it will be up to the hundreds of individual vendors to assess the risk the vulnerabilities pose to each of their products and apply the update and push it out to individual devices. Forescout said this could take month

Even then, individual companies and hospitals will need to make sure their IT staff and management are able to prioritize the risks and take the vital machines offline and update their firmware. That is not always practical.

"The diversity of specialized devices that are common in healthcare environment create something that we call device diversity. The implication of this within an organization is that patching vulnerabilities will be more time consuming," the Forescout team told SearchSecurity.

"In networks with high device diversity, security operators must spend a considerable amount of time to identify and patch vulnerable devices."

The risk is serious enough that the report has prompted an alert from the U.S. Cybersecurity and Infrastructure Security Agency, advising companies to take basic security measures to protect their internal networks and update vulnerable devices once updates are available.

The report on the Siemens Nucleus flaws is the final installment of Forescout's Project Memoria, which focused on security vulnerabilities in TCP/IP software stacks. The vendor previously published four other reports on such flaws, including the Amnesia:33 vulnerabilities in four open source stacks that affected millions of IT, IoT and operational technology devices.

Next Steps

Why medical device vulnerabilities are hard to prioritize

Dig Deeper on Threat detection and response