Endpoint Security , Governance & Risk Management , Open XDR

Researchers Disclose 14 Flaws in NicheStack

Exploits Could Enable Several Types of Attacks
Researchers Disclose 14 Flaws in NicheStack

The widely used NicheStack TCP/IP stack has 14 vulnerabilities that, if exploited, could allow for remote code execution, denial of service, information leaks, TCP spoofing or DNS cache poisoning, according to researchers at Forescout and JFrog. But patches are now available.

See Also: Improving Operational Resilience Through OT and IoT Visibility and Security

So far, there is no evidence these flaws have been exploited, a Forescout spokesperson says. On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory describing the vulnerabilities, saying users and administrators should review the ICS Advisory ICSA-21-217-01 HCC Embedded InterNiche TCP/IP Stack NicheLite and apply the necessary updates and mitigations.

NicheStack is a proprietary TCP/IP stack developed by InterNiche Technologies in 1996 and now offered by the company HCC Embedded. Users of the stack include many OT device and critical infrastructure providers and vendors, including Emerson, Honeywell, Schneider Electric, Mitsubishi Electric and Rockwell Automation.

The flaws - which the researchers named "INFRA:HALT" - have the potential "to cause even more widespread disruption at a time when we’re already seeing an increased number of attacks against multiple global utility, oil and gas, healthcare and supply chain organizations,” says Daniel dos Santos, research manager at Forescout Research Labs. “We urge organizations to take protective measures against INFRA:HALT, which requires limiting the network exposure of critical vulnerable devices via network segmentation and patching devices when vendors release patches.” HCC recommends users apply release v4.3, which contains patches to fix the issue.

NicheStack is one of four embedded TCP/IP protocol stacks developed by InterNiche Technologies and now sold by HCC Embedded. It's used to connect embedded devices, such as the Siemens S7 line of PLCs. The IP layer in NicheStack is manually configurable and thus can be used as a client machine, an IP router or a multi-homed server.

The INFRA:HALT Vulnerabilities

The vulnerabilities, if exploited, could allow attackers to carry out a variety of malicious activities. The researchers say that two of the flaws, CVE-2020-25928 and CVE-2021-31226, could enable attackers to gain remote code execution privileges, which the researchers explained with a theoretical example as shown in the figure below:

Attack scenario (Source: Forescout)

As illustrated, an attacker could send a specially crafted DNS request to the INTER:HALT vulnerable device. This malicious request consists of a shellcode that instructs Device 1 to send a malicious FTP packet to Device 2 on the same network, which in this example is assumed to be a programmable logic controller. The malicious FTP packet, in turn, causes the PLC to crash and ultimately leads to a complete failure of all further processes.

The Affected Parties

A search on the Shodan search engine by Forescout showed that more than 6,400 devices are running NicheStack protocol, of which 6,360 run an HTTP server.

But Santos says more devices run the stack. "Since many of the affected devices are in operational technology, they should, by definition, not be accessible over the internet. Those 6,400 are mostly in misconfigured networks," he says.

Some 4,000 devices found in the Shodan search were in North America. The researchers said that their own database classified over 2,500 devices from 21 vendors across the globe that used NicheStack protocol.

Use of the NicheStack protocol is mainly associated with industrial control systems, including in the retail and manufacturing sectors, the researchers say.

Device functions running NicheStack (Source: Forescout)

Mitigations Available

HCC Embedded released patches in May 2021 as part of version 4.3. Other mitigation steps that Santos suggests network engineers and device vendors follow are:

  • Make sure all devices and services on a network are patched with the latest software.
  • Use segmentation to create air-gapped critical networks. Segmenting the network externally helps avoid exposure of vulnerable devices to other free online networks, and internal segmentation helps in limiting the organizational impact if these devices are exploited.
  • Monitor the network traffic for signs of exploitation.
  • For device vendors, use code-auditing tools and adopt protocols and security standards from designing to manufacturing.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.