Nucleus RTOS TCP/IP Stack vulnerabilities
Canon Medical Systems Security Advisory
Overview:
It was announced that there are security vulnerabilities in the TCP/IP stack and related services (FTP, TFTP) of the networking component (Nucleus NET) in the Nucleus Real-Time Operating System (RTOS). These vulnerabilities are also tracked as the name NUCLEUS:13. These vulnerabilities allow for remote code execution (RCE), denial of service (DoS), and information leak.
Vulnerability Overview:
| CVE ID | Description | Potential Impact | CVSS v3.1 |
| CVE-2021-31344 | ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. | Confused deputy | 5.3 |
| CVE-2021-31345 | The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. | Application-dependent | 7.5 |
| CVE-2021-31346 | The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. | Information leak / DoS | 8.2 |
| CVE-2021-31881 | When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. | DoS | 7.1 |
| CVE-2021-31882 | The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. | DoS | 6.5 |
| CVE-2021-31883 | When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. | DoS | 7.1 |
| CVE-2021-31884 | The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions. | Application-dependent | 8.8 |
| CVE-2021-31885 | TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands. | Information leak | 7.5 |
| CVE-2021-31886 | FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. | RCE | 9.8 |
| CVE-2020-31887 | FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. | RCE | 8.8 |
| CVE-2021-31888 | FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. | RCE | 8.8 |
| CVE-2021-31889 | Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. | DoS | 7.5 |
| CVE-2021-31890 | The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. | DoS | 7.5 |
Possible Affected Canon Medical Systems Products:
Canon Medical Systems Corporation is not using Nucleus RTOS in its products.
Affected Canon Medical Systems Products
・ None
Canon Medical Products under investigation
・ None
Resolution:
・ None
Social Media
