Researchers Disclose 14 Flaws in NicheStackExploits Could Enable Several Types of Attacks
The widely used NicheStack TCP/IP stack has 14 vulnerabilities that, if exploited, could allow for remote code execution, denial of service, information leaks, TCP spoofing or DNS cache poisoning, according to researchers at Forescout and JFrog. But patches are now available.
So far, there is no evidence these flaws have been exploited, a Forescout spokesperson says. On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory describing the vulnerabilities, saying users and administrators should review the ICS Advisory ICSA-21-217-01 HCC Embedded InterNiche TCP/IP Stack NicheLite and apply the necessary updates and mitigations.
NicheStack is a proprietary TCP/IP stack developed by InterNiche Technologies in 1996 and now offered by the company HCC Embedded. Users of the stack include many OT device and critical infrastructure providers and vendors, including Emerson, Honeywell, Schneider Electric, Mitsubishi Electric and Rockwell Automation.
The flaws - which the researchers named "INFRA:HALT" - have the potential "to cause even more widespread disruption at a time when we’re already seeing an increased number of attacks against multiple global utility, oil and gas, healthcare and supply chain organizations,” says Daniel dos Santos, research manager at Forescout Research Labs. “We urge organizations to take protective measures against INFRA:HALT, which requires limiting the network exposure of critical vulnerable devices via network segmentation and patching devices when vendors release patches.” HCC recommends users apply release v4.3, which contains patches to fix the issue.
NicheStack is one of four embedded TCP/IP protocol stacks developed by InterNiche Technologies and now sold by HCC Embedded. It's used to connect embedded devices, such as the Siemens S7 line of PLCs. The IP layer in NicheStack is manually configurable and thus can be used as a client machine, an IP router or a multi-homed server.
The INFRA:HALT Vulnerabilities
The vulnerabilities, if exploited, could allow attackers to carry out a variety of malicious activities. The researchers say that two of the flaws, CVE-2020-25928 and CVE-2021-31226, could enable attackers to gain remote code execution privileges, which the researchers explained with a theoretical example as shown in the figure below:
As illustrated, an attacker could send a specially crafted DNS request to the INTER:HALT vulnerable device. This malicious request consists of a shellcode that instructs Device 1 to send a malicious FTP packet to Device 2 on the same network, which in this example is assumed to be a programmable logic controller. The malicious FTP packet, in turn, causes the PLC to crash and ultimately leads to a complete failure of all further processes.
The Affected Parties
A search on the Shodan search engine by Forescout showed that more than 6,400 devices are running NicheStack protocol, of which 6,360 run an HTTP server.
But Santos says more devices run the stack. "Since many of the affected devices are in operational technology, they should, by definition, not be accessible over the internet. Those 6,400 are mostly in misconfigured networks," he says.
Some 4,000 devices found in the Shodan search were in North America. The researchers said that their own database classified over 2,500 devices from 21 vendors across the globe that used NicheStack protocol.
Use of the NicheStack protocol is mainly associated with industrial control systems, including in the retail and manufacturing sectors, the researchers say.
HCC Embedded released patches in May 2021 as part of version 4.3. Other mitigation steps that Santos suggests network engineers and device vendors follow are:
- Make sure all devices and services on a network are patched with the latest software.
- Use segmentation to create air-gapped critical networks. Segmenting the network externally helps avoid exposure of vulnerable devices to other free online networks, and internal segmentation helps in limiting the organizational impact if these devices are exploited.
- Monitor the network traffic for signs of exploitation.
- For device vendors, use code-auditing tools and adopt protocols and security standards from designing to manufacturing.