Vedere Labs and JFrog Security Research discover 14 new vulnerabilities affecting closed source TCP/IP stack NicheStack, allowing for Denial of Service or Remote Code Execution primarily affecting operational technology (OT) and industrial control system (ICS) devices.
Device Manufacturers Affected
Vedere Labs partnered with JFrog Security Research to disclose INFRA:HALT, a set of 14 new vulnerabilities affecting the HCC-owned, closed source TCP/IP stack NicheStack. NicheStack was originally developed by InterNiche Technologies and has been in use for 20 years across critical infrastructure sectors. Nearly all major industrial automation vendors incorporate NicheStack in their products and solutions.
The Impact of INFRA:HALT
INFRA:HALT vulnerabilities impact the closed source TCP/IP stack NicheStack that is used in millions of OT and ICS, especially in the discrete and process manufacturing industries. Among the vulnerabilities are DNS cache poisoning, TCP spoofing, Denial of Service and Remote Code Execution. Successful attacks can result in taking OT and ICS devices offline and having their logic hijacked. Hijacked devices can spread malware to where they communicate on the network.
Dive into the Research
This report discloses 14 vulnerabilities for the closed source TCP/IP stack NicheStack and proposes solutions for enterprise network operators, OT and ICS device developers and the cybersecurity community. Learn which types of devices are vulnerable to exploitation and the characteristics that make them vulnerable, as well as immediate steps you can take to mitigate risks.Download Report
Risk Mitigation Strategies
In this blog, security researchers from Vedere Labs and JFrog Security Research break down the findings from their technical research report and discuss how other researchers, developers, vendors and enterprise customers can mitigate the risks of these vulnerabilities.READ BLOG
Learn How Forescout Can Help
Forescout recently released an open-source script to discover devices running the vulnerable TCP/IP stack NicheStack. Our FAQ includes insights into patching and remediation, segmentation enforcement and configuring devices to rely on internal DNS servers and monitoring network traffic for malicious packets.
Complete protection against INFRA:HALT requires patching devices running the vulnerable versions of NicheStack. HCC Embedded has made its official patches available upon request, and device vendors using this software should provide their own updates to customers.
Given that patching OT devices is notoriously difficult due to their mission-critical nature, Forescout recommends the following mitigation strategy:c
- Discover and inventory devices running NicheStack. Vedere Labs has released an open-source script that uses active fingerprinting to detect devices running NicheStack. The script is updated constantly with new signatures to follow the latest development of our research. Forescout has also released an updated Security Policy Template (SPT) for eyeSight to detect devices running the stack (more details below).
- Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.
- Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory balancing business risk and business continuity requirements.
- Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible 0-days. Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators. Forescout has released a script for eyeInspect that detects exploitation attempts against the vulnerabilities in INFRA:HALT
How Forescout Can Help
eyeSight uses the Security Policy Templates (SPTs) module to identify and group vulnerable/potentially vulnerable devices. A new version of the SPT package, which can identify devices vulnerable to INFRA:HALT can be downloaded here.
eyeInspect can detect exploitation attempts using the following scripts:
- “INFRA:HALT Monitor” detects exploitation attempts against the InterNiche webserver: CVE-2021-27565, CVE-2021-31226, CVE-2021-31227.
- “Threat Detection Add-Ons” contains detection logic for malformed DNS packets (among many others) that can detect various exploitation attempts against DNS clients, namely: CVE-2020-25928, CVE-2020-25767, and CVE-2020-25927. This script also detects exploitation attempts of vulnerabilities disclosed during the NAME:WRECK and AMNESIA:33 research.
eyeSegment provides network flow mapping of existing communications, which helps to identify unintended communications and enforce appropriate segmentation controls. Once vulnerable devices have been identified, they can be logically grouped to decrease the communications allowed to or from them, thereby limiting the likelihood of compromise and the blast radius if a compromise occurs.