Security analysts at Forescout Research and JFrog Security Research have discovered 14 vulnerabilities in NicheStack, a proprietary TCP/IP stack used in a wide range of operational technology (OT) devices from more than 200 manufacturers, including most major industrial automation vendors.
The vulnerabilities — which the researchers have collectively named Infra:Halt — enable remote code execution attacks, denial-of-service attacks, information leaks, DNS cache poisoning, and TCP spoofing. While many of the affected devices are likely to have one or more of the vulnerabilities present in their NicheStack implementation, few are likely to have all of them at the same time.
Forescout Research and JFrog Security Research discovered the vulnerabilities in NicheStack as part of a broader investigation into security weaknesses in widely used TCP/IP stacks that the former has been leading over the past year under an initiative called Project Memoria.
Twelve of the 14 newly disclosed Infra:Halt vulnerabilities have severity ratings of 7.5 or higher on the 10-point CVSS rating scale, meaning they are critical in nature. Two of the flaws — CVE -2020-25928 and CVE-2021-31226 — enable remote code execution, eight allow for denial-of-service (DoS) attacks, two enable DNS cache poisoning, and one is app-dependent. Vulnerabilities stemmed from memory corruption issues, weak initial sequence number (ISN) generation, DNS-related flaws, and insufficient random values — issues that Forescout says it encountered during its investigations into other TCP/IP stacks.
Forescout researcher Daniel dos Santos says threat actors that can successfully exploit some of these vulnerabilities — such as the remote code execution bugs — could potentially hijack industrial control system (ICS) and OT devices and use them to distribute malware, compromise other systems, and execute other malicious actions.
"The different vulnerabilities have different uses for an attacker," dos Santos says. "There are some that can be used to gain an entry point into a network. There are some that can be used to deliver a final attack payload."
The DoS flaws are straightforward to execute for any attacker with local access to a vulnerable system, he says. The remote code execution flaws are slightly more complicated to take advantage of and require the attacker to have some knowledge about things like the memory layout of the device. "It's more difficult, but it's not impossible and not something that requires months or significant budgets," dos Santos says.
The public disclosure of the vulnerabilities last week prompted the US Cybersecurity & Infrastructure Security Agency (CISA) to issue an advisory, notifying organizations across multiple critical infrastructure sectors of the issue and to implement baseline mitigations to reduce risk from attacks targeting the flaws.
NicheStack is a TCP/IP stack that a company called InterNiche Technologies developed in 1996. A list of customers that Forescout obtained from a legacy InterNiche website shows that several top industrial automation vendors — including Siemens, Schneider Electric, Rockwell Automation Mitsubishi Electric, Emerson, and Honeywell — are among the more than 200 vendors that have used the stack. Forescout says that over the years NicheStack and components of it have also been distributed by original equipment manufacturers such as Altera, STMicroelectronics, and Microchip for use in various real-time operating systems. Hungary-based HCC Embedded acquired InterNiche in 2016 and currently is the maintainer of NicheStack.
Dos Santos says the way in which NicheStack has been used over the years makes it almost impossible to arrive at a precise estimate of the number of affected devices. But potentially millions of devices could have the vulnerabilities in them given the fact that NicheStack has been around for 20 years, and numerous vendors have devices that incorporate the stack in their products, he says. An Internet search that Forescout conducted using the Shodan search engine and its own device cloud service uncovered thousands of vulnerable devices. The most affected industries were process manufacturing, retail, and discrete manufacturing.
The only way to completely protect against the vulnerabilities is to apply the patches that HCC Embedded has released. Forescout says the patches are available on request from HCC and device vendors using the software should make the updates available to their customers. The vulnerabilities are present in all versions of NicheStack before version 4.3. Therefore, organizations can also update to version 4.3 or later to address the vulnerabilities.
In its advisory, CISA recommended several mitigations for organizations that are unable to apply the patches. Suggested measures include minimizing network expose for all ICSs and devices using vulnerable versions of NicheStack and ensuring the systems are not directly accessible over the Internet. Organizations should also consider putting vulnerable systems behind firewalls and isolating them from the corporate network. If remote access is required to a vulnerable system, CISA said, organizations should use a secure VPN to protect that access.