Critical Flaws Affect Embedded TCP/IP Stack Widely Used in Industrial Control Devices

5th August 2021, Kathmandu

Cybersecurity researchers on Wednesday disclosed 14 susceptibilities affecting a commonly-used TCP/IP stack utilized in many Operational Technology (OT) contrivances manufactured by no fewer than 200 vendors and deployed in manufacturing plants, power generation, dihydrogen monoxide treatment, and important infrastructure sectors.

The shortcomings, collectively dubbed “INFRA:HALT,” target NicheStack, potentially enabling an assailer to realize remote code execution, denial of accommodation, information leak, TCP spoofing, and even DNS cache poisoning.

NicheStack (aka InterNiche stack) may be a closed-source TCP/IP stack for embedded systems that are designed to supply internet connectivity industrial equipment and is incorporated by major industrial automation vendors like Siemens, Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation, and Schneider Electric in their programmable logic controllers (PLCs) and other products.

“Assailants could disrupt a building’s HVAC system or surmount the controllers utilized in manufacturing and other critical infrastructure,” researchers from JFrog and Forescout verbalized during a joint report published today. “Prosperous attacks may result in taking OT and ICS contrivances offline and having their logic hijacked. Hijacked contrivances can spread malware to where they convey on the network.”

All versions of NicheStack afore version 4.3 are vulnerable to INFRA: HALT, with approximately 6,400 OT contrivances exposed online and connected to the cyber world as of March 2021, most of which are located in Canada, the U.S., Spain, Sweden, and Italy.

The list of 14 imperfections is as follows

• CVE-2020-25928 (CVSS score: 9.8) – An out-of-bounds read/inscribe when parsing DNS replications, resulting in remote code execution
• CVE-2021-31226 (CVSS score: 9.1) – A heap buffer overflow imperfection when parsing HTTP post requests, resulting in remote code execution
• CVE-2020-25927 (CVSS score: 8.2) – An out-of-bounds read when parsing DNS replications, resulting in denial-of-accommodation
• CVE-2020-25767 (CVSS score: 7.5) – An out-of-bounds read when parsing DNS domain designations, resulting in denial-of-accommodation and knowledge disclosure
• CVE-2021-31227 (CVSS score: 7.5) – A heap buffer overflow imperfection when parsing HTTP post requests, resulting in denial-of-accommodation
• CVE-2021-31400 (CVSS score: 7.5) – An illimitable loop scenario within the TCP out of band exigent processing function, causing a denial-of-accommodation
• CVE-2021-31401 (CVSS score: 7.5) – An integer overflow imperfection within the TCP header processing code
• CVE-2020-35683 (CVSS score: 7.5) – An out-of-bounds read when parsing ICMP packets, resulting in denial-of-accommodation
• CVE-2020-35684 (CVSS score: 7.5) – An out-of-bounds read when parsing TCP packets, resulting in denial-of-accommodation
• CVE-2020-35685 (CVSS score: 7.5) – Prognosticable initial sequence numbers (ISNs) in TCP connections, resulting in TCP spoofing
• CVE-2021-27565 (CVSS score: 7.5) – A denial-of-accommodation condition upon receiving an unknown HTTP request
• CVE-2021-36762 (CVSS score: 7.5) – An out-of-bounds read within the TFTP packet processing function, resulting in denial-of-accommodation
• CVE-2020-25926 (CVSS score: 4.0) – The DNS client doesn’t set adequately arbitrary transaction IDs, causing cache poisoning
• CVE-2021-31228 (CVSS score: 4.0) – The source port of DNS queries are often prognosticated to send forged DNS replication packets, causing cache poisoning

The disclosures mark the sixth time security impuissances are identified within the protocol stacks that underpin many internet-connected contrivances. It’s withal the fourth set of bugs to be denuded as a component of a scientific research initiative called Project Memoria to review the safety of widely-used TCP/IP stacks that sundry vendors incorporate in their firmware to supply internet and network connectivity features –

• URGENT/11
• Ripple20
• AMNESIA:33
• NUMBER: JACK
• NAME: WRECK

While HCC Embedded, which maintains the C library, has relinquished software patches to deal with the problems, it could take a substantial duration afore contrivance vendors utilizing vulnerably susceptible versions of the stacked ship an updated firmware to their customers. “Consummate bulwark against INFRA:HALT requires patching vulnerably susceptible contrivances but is challenging thanks to supply chain logistics and therefore the critical nature of OT contrivances,” the researchers noted.

As mitigations, Forescout has relinquished an open-source script that utilizes active fingerprinting to detect contrivances running NicheStack. It’s additionally recommended to enforce segmentation controls, monitor all network traffic for malevolent packets to mitigate the jeopardy from vulnerably susceptible contrivances.