You may be aware of the recent media alert titled "Nucleus:13 vulnerabilities" concerning the Siemens Embedded Software Solutions Nucleus RTOS. Siemens Embedded strives to avoid software defects, but uncovering security vulnerabilities is a regular and ongoing part of business for a software company.
Fortunately, Siemens has a stringent in-house process to uncover Common Vulnerability and Exposures (CVE) including the Siemens dedicated security monitoring team who works with leading industry security research agencies to uncover software vulnerabilities. When vulnerabilities are found, we work directly with these experts to quickly provide the appropriate fixes for these vulnerabilities. Our customers can then quickly integrate those fixes into their devices and eliminate potential infiltration by malicious actors in the future.
"Among all the vendors, Siemens is the only one that has publicly stated to be affected by the vulnerabilities in all the disclosure phases. So far, Siemens has issued 12 advisories based on Project Memoria’s findings. Siemens is also the vendor that issues 31% of ICS-CERT alerts in 2020. This is not a coincidence and is far from implying that Siemens’ devices are less secure than others. On the contrary, it shows that they have a mature product security program and that they are open to acknowledging and publishing issues that affect their products. It also indicates that several other similar vendors have not taken the same proactive approach and may be leaving their customers vulnerable"
As a current or past customer of the Nucleus operating system, we felt it is important to bring your attention to the recently discovered set of security vulnerabilities that could have an impact on some devices. Specifically, what the vulnerabilities are and the fixes we are making available.
Nucleus:13 is a set of 13 Common Vulnerabilities and Exposures (CVEs) affecting portions of the Nucleus RTOS networking components. The new vulnerabilities allow for Remote Code Execution or Denial of Service attacks under specific operating conditions.
Siemens delivers embedded development tools that enable device manufacturers to quickly design and build high-quality connected devices – including those with rich user interfaces, cloud-based remote management, or safety certification. Base technologies include Linux, the Nucleus real-time operating system, advanced multicore runtime, and IoT enablement & development tools.