IPv6 Header Processing Vulnerability in Siemens Capital VSTAR and Nucleus Products
CVE-2021-25663

8.7HIGH

Key Information:

Vendor: Siemens
Status: Capital Embedded Ar Classic 431-422; Capital Embedded Ar Classic R20-11; Nucleus Net; Nucleus Readystart V3
Vendor: CVE Published:; 22 April 2021

What is CVE-2021-25663?

A vulnerability has been reported in Siemens Capital VSTAR and other Nucleus products that affects the processing of IPv6 headers. Specifically, the issue arises from the lack of proper validation of extension header option lengths, potentially allowing an attacker to exploit this weakness. By crafting malicious length values, an attacker can cause the function that processes these headers to enter an infinite loop, which could lead to denial of service and disruption of service availability across affected systems.

Affected Version(s)

Capital Embedded AR Classic 431-422 0

Capital Embedded AR Classic R20-11 0

Nucleus NET All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-24828...

x_refsource_MISC

https://us-cert.cisa.gov/ics/advisories/icsa-21-103-05

x_refsource_CONFIRM

https://cert-portal.siemens.com/productcert/html/ssa-2482...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2021
Vulnerability Reserved
Jan 21, 2021