INFRA:HALT flaws impact OT devices from hundreds of vendors

INFRA:HALT is a set of vulnerabilities affecting a popular TCP/IP library commonly OT devices manufactured by more than 200 vendors.

Security researchers from security teams at Forescout and JFrog have disclosed today 14 vulnerabilities that impact a popular TCP/IP library named NicheStack commonly used in industrial equipment and Operational Technology (OT) devices manufactured by more than 200 vendors.

NicheStack (aka InterNiche stack) is a proprietary TCP/IP stack developed originally by InterNiche Technologies and acquired by HCC Embedded in 2016

NicheStack is used by several devices in the Operational Technology (OT) and critical infrastructure space, such as the popular Siemens S7 line of PLCs.

“The new vulnerabilities allow for Remote Code Execution, Denial of Service, Information Leak, TCP Spoofing, or DNS Cache Poisoning.” states the report. “Forescout Research Labs and JFrog Security Research exploited two of the Remote Code Execution vulnerabilities in their lab and show the potential effects of a successful
attack.”

The flaw could be exploited by a threat actor that has gained access to the OT network of an organization.

Below is the list of vulnerabilities discovered by the experts:

“INFRA:HALT confirms earlier findings of Project Memoria, namely similar vulnerabilities appearing in different implementations, both open and closed source. In fact, INFRA:HALT includes examples of memory corruption like in
AMNESIA:33, weak ISN generation like in NUMBER:JACK and DNS vulnerabilities like in NAME:WRECK” continues the report.

The experts also provided an estimation of the impact of the INFRA:HALT vulnerabilities, the analysis was based on the following sources:

• A legacy InterNiche website listing its main customers, which includes a total of almost 200 device vendors.
• Shodan Queries show around 6,400 OT devices connected online in March. Experts “found
  more than 6,400 instances of devices running NicheStack (using the simple query “InterNiche”). Of those devices, the large majority (6360) run an HTTP server (query “InterNiche Technologies Webserver”), while the others ran mostly FTP (“Welcome to InterNiche embFtp server”), SSH (“SSH2.0-InternicheSSHServer (c)InterNiche”) or Telnet (“Welcome to InterNiche Telnet Server”) servers.”
• Forescout Device Cloud. Forescout Device Cloud is a repository of information of 13+ million devices monitored by Forescout appliances. Experts found more than 2,500 device instances from 21 vendors.

HCC Embedded has released firmware patches to address the INFRA:HALT issues.

The researchers also released Forescout’s Project Amnesia scanner to allow organizations to determine if the devices they are using are affected by these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, OT)

[adrotate banner=”5″]

[adrotate banner=”13″]