OT Vulnerabilities found on NicheStack
As identified by Forescout Research Labs and JFrog Security Research, a collection of 14 new vulnerabilities known as INFRA:HALT is affecting the NicheStack TCP/IP stack used in numerous OT devices. It is installed in critical operations such as manufacturing plants, power generation, water treatment, and important infrastructure sectors.
The INFRA:HALT allows the attacker to perform activities including executing code on remote machines, denial of service, critical leak of information, TCP spoofing, or DNS spoofing.
It is worthy to note that these vulnerabilities can be a doorway to enhanced risk and expose critical national infrastructure, where industry is already experiencing major attacks against utilities such as oil and gas pipeline, healthcare, supply chain, and the like.
In the connected world of the present, Forescout has been on the mission to analyze the security implications of networks. They examine the cybersecurity challenges and help the organization combat these threats and risks. JFrog is also on a similar page and strives to uncover and mitigate software risks in apps and devices.
Designed for use in embedded systems, NicheStack is a closed source network layer and application implementation for operating systems, It is used by major industrial automation vendors in their programmable logic controllers (PLCs) and other products.
The list of 14 vulnerabilities is as follows –
- CVE-2020-25928 (CVSS score: 9.8) – An out-of-bounds read/write when parsing DNS responses, leading to remote code execution
- CVE-2021-31226 (CVSS score: 9.1) – A heap buffer overflow flaw when parsing HTTP post requests, leading to remote code execution
- CVE-2020-25927 (CVSS score: 8.2) – An out-of-bounds read when parsing DNS responses, leading to denial-of-service
- CVE-2020-25767 (CVSS score: 7.5) – An out-of-bounds read when parsing DNS domain names, leading to denial-of-service and information disclosure
- CVE-2021-31227 (CVSS score: 7.5) – A heap buffer overflow flaw when parsing HTTP post requests, leading to denial-of-service
- CVE-2021-31400 (CVSS score: 7.5) – An infinite loop scenario in the TCP out of band urgent data processing function, causing a denial-of-service
- CVE-2021-31401 (CVSS score: 7.5) – An integer overflow flaw in the TCP header processing code
- CVE-2020-35683 (CVSS score: 7.5) – An out-of-bounds read when parsing ICMP packets, leading to denial-of-service
- CVE-2020-35684 (CVSS score: 7.5) – An out-of-bounds read when parsing TCP packets, leading to denial-of-service
- CVE-2020-35685 (CVSS score: 7.5) – Predictable initial sequence numbers (ISNs) in TCP connections, leading to TCP spoofing
- CVE-2021-27565 (CVSS score: 7.5) – A denial-of-service condition upon receiving an unknown HTTP request
- CVE-2021-36762 (CVSS score: 7.5) – An out-of-bounds read in the TFTP packet processing function, leading to denial-of-service
- CVE-2020-25926 (CVSS score: 4.0) – The DNS client does not set sufficiently random transaction IDs, causing cache poisoning
- CVE-2021-31228 (CVSS score: 4.0) – The source port of DNS queries can be predicted to send forged DNS response packets, causing cache poisoning
The cybersecurity researchers pointed out that these vulnerabilities can enable the attackers to hijack a building’s HVAC system or disrupt controllers used in the infrastructure. They added that if the threat actors get successful, they can easily hijack the logic of OT and ICS devices, spreading malware over the network they communicate on.
The vulnerabilities discovered here are part of Project Memoria initiated by Forescout in order to address security concerns of the modern TCP/IP stack. The research specialist also highlights that controlling the impact of INFRA:HALT is challenging due to the complex nature of OT devices. In order to minimize the effect, the team has released an open-source script to identify devices running NicheStack. It’s also advised to incorporate segmentation control and monitor all traffic on the network to mitigate the risk.