Millions Of Devices Susceptible To Critical Nucleus Net Vulnerabilities

BACKGROUND:

Researchers at Forescout have today disclosed a new set of critical Nucleus Net vulnerabilities, dubbed NUCLEUS:13. 

The vulnerabilities, which may be present in millions of devices that deploy the code owned by Siemens, could cause remote code execution, denial of service attacks and data leak. The Nucleus TCP / IP stack, originally released in 1993, is still widely used in critical safety devices operated by hospitals and the healthcare industry, including anaesthesia machines, patient monitors, building automation systems, lighting controls and ventilation. If exploited, bad actors can use them to take target devices offline or assume control of healthcare operations.

Experts Comments

November 10, 2021
John Goodacre
Director of UKRI’s Digital Security and Professor of Computer Architectur
The University of Manchester

It is not unusual for software to reuse software in a new product or service. It is currently estimated that around 80% of a new software code is reused code.  As seen here, even well used software can still have vulnerabilities. Reusing software in a new way can also expose new vulnerabilities that any reused test cases do not cover.  Despite software development processes becoming much more aware of how such vulnerabilities occur, today's technologies can not block these vulnerabilities

.....Read More

It is not unusual for software to reuse software in a new product or service. It is currently estimated that around 80% of a new software code is reused code.  As seen here, even well used software can still have vulnerabilities. Reusing software in a new way can also expose new vulnerabilities that any reused test cases do not cover.  Despite software development processes becoming much more aware of how such vulnerabilities occur, today's technologies can not block these vulnerabilities from being exploited.  Moving to a cybersecurity model in which technology can be secured by design, and stop vulnerabilities from being exploited would not only highlight potential issues in reused code, but can also deliver new capabilities to deliver products to be secure by default. A UK Government initiative known as Digital Security by Design (DSbD) is working to transform digital technology in this way and create a resilient, and secure foundation for a safer future.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.