Researchers at Forescout have today disclosed a new set of critical Nucleus Net vulnerabilities, dubbed NUCLEUS:13.
The vulnerabilities, which may be present in millions of devices that deploy the code owned by Siemens, could cause remote code execution, denial of service attacks and data leak. The Nucleus TCP / IP stack, originally released in 1993, is still widely used in critical safety devices operated by hospitals and the healthcare industry, including anaesthesia machines, patient monitors, building automation systems, lighting controls and ventilation. If exploited, bad actors can use them to take target devices offline or assume control of healthcare operations.
<p>It is not unusual for software to reuse software in a new product or service. It is currently estimated that around 80% of a new software code is reused code. As seen here, even well used software can still have vulnerabilities. Reusing software in a new way can also expose new vulnerabilities that any reused test cases do not cover. Despite software development processes becoming much more aware of how such vulnerabilities occur, today\’s technologies can not block these vulnerabilities from being exploited. Moving to a cybersecurity model in which technology can be secured by design, and stop vulnerabilities from being exploited would not only highlight potential issues in reused code, but can also deliver new capabilities to deliver products to be secure by default. A UK Government initiative known as Digital Security by Design (DSbD) is working to transform digital technology in this way and create a resilient, and secure foundation for a safer future.</p>