Overview
Recently, researchers from JFrog and Forescout released a joint report to publicly disclose 14 security vulnerabilities (collectively referred to as INFRA:HALT) in the NicheStack TCP/IP stack, announcing that these vulnerabilities could lead to remote code execution, denial of service, information disclosure, TCP spoofing, or DNS cache poisoning. Researchers noted that attackers that successfully exploited the INFRA:HALT vulnerabilities could damage the building’s HVAC system or take over the controllers used for manufacturing and other critical infrastructure, causing OT and ICS devices to get offline and hijacked. Also, attackers could spread malware through the hijacked device.
CVE-2020-25928: An out-of-bounds read/write during DNS response parsing could lead to remote code execution. It is assigned a CVSS score of 9.8.
CVE-2021-31226: A heap-based buffer overflow vulnerability during HTTP POST request parsing could lead to arbitrary code execution. It is assigned a CVSS score of 9.1.
CVE-2020-25927: An out-of-bounds read during DNS response parsing could lead to a denial of service. It is assigned a CVSS score of 8.2.
CVE-2020-25767: An out-of-bounds read during DNS resolution could lead to a denial of service. It is assigned a CVSS score of 7.5.
CVE-2021-31227: A heap-based buffer overflow vulnerability during HTTP POST request parsing could lead to arbitrary code execution. It is assigned a CVSS score of 7.5.
CVE-2021-31400: An infinite loop scenario in TCP out-of-bounds urgent data processing could lead to a denial of service. It is assigned a CVSS score of 7.5.
CVE-2021-31401: An integer overflow vulnerability in TCP header processing code. It is assigned a CVSS score of 7.5.
CVE-2020-35683: An out-of-bounds read during ICMP packet parsing could lead to a denial of service. It is assigned a CVSS score of 7.5.
CVE-2020-35684: An out-of-bounds read during TCP packet parsing could lead to a denial of service. It is assigned a CVSS score of 7.5.
CVE-2020-35685: Predictable ISNs in TCP connections lead to TCP spoofing. It is assigned a CVSS score of 7.5.
CVE-2021-27565: A denial of service occurs when an unknown HTTP request is received. It is assigned a CVSS score of 7.5.
CVE-2021-36762: An out-of-bounds read in TFTP packet handling could lead to a denial of service. It is assigned a CVSS score of 7.5.
CVE-2020-25926: Insufficiently random transaction IDs cause cache poisoning in the DNS client. It is assigned a CVSS score of 4.0. CVE-2021-31228: The source port of DNS requests can deliver spoofed DNS response packets, causing cache poisoning. It is assigned a CVSS score of 4.0.
NicheStack (also known as InterNiche) is a commonly-used, proprietary TCP/IP stack for embedded system. It is designed to provide Internet connectivity to industrial devices. It is used in production environments by at least 200 suppliers and deployed in millions of OT devices in a wide array of critical infrastructure sectors like manufacturing plants, power generation, and water treatment.
Reference links:
https://jfrog.com/blog/infrahalt-14-new-security-vulnerabilities-found-in-nichestack/
Scope of Impact
Affected Versions
- NicheStack < 4.3
Unaffected Versions
- NicheStack = 4.3
Check for the Vulnerabilities
Manual Check
Users can use an open-source script (continuous signature update) released by Forescout to detect devices running NicheStack:
https://github.com/Forescout/project-memoria-detector
Users are advised to implement segmentation controls to monitor for all malicious traffic to lower security risks of devices susceptible to attacks.
Mitigation
Official Fix
Currently, HCC Embedded has released new versions to fix the vulnerabilities. Affected users are advised to upgrade NicheStack as soon as possible from the following link:
https://www.hcc-embedded.com/support/security-advisories
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
