The INFRA:HALT vulnerabilities
14 vulnerabilities affecting a widely used TCP/IP stack were disclosed to the public on Wednesday. Codenamed “INFRA:HALT” , the flaws put at risk millions of Operation Technology devices in industries like water treatment, infrastructure, power generation and manufacturing.
A TCP/IP stack is a closed-source NicheStack (also known as InterNiche stack) that is designed to provide internet connectivity to industrial equipment. This NicheStack is embedded in the systems and the products of prominent industrial automation vendors like Schneider Electric, Siemens, Mitsubishi Electric, Rockwell Automation, Emerson, and other leading companies.
According to the available information, the “INFRA:HALT” vulnerabilities found in the TCP/IP stack, if exploited, would allow an attacker to run arbitrary code, steal data, and perform attacks such as denial of service, TCP spoofing and DNS cache poisoning.
Researchers from Forescout and JFrog stated in a joint report that attackers who abuse the listed vulnerabilities might damage a building’s HVAC system or take over the controls used in manufacturing and other critical infrastructure. Successful attacks may result in the loss of network access, as well as system and Operational Technology device control where a hijacked device may spread malware to where it communicates on the network, in what is known as a network-borne infection.
As of March 2021, around 6,400 Operational Techonology devices, most of which are situated in Canada, the U.S., Spain, Sweden, and Italy are exposed online, and are vulnerable to INFRA:HALT. As per the report, versions of NicheSTack older than the latest 4.3 version are at risk of being exploited.
Here is a list of the 14 INFRA:HALT flaws:
- CVE-2020-25928 (CVSS score: 9.8)
- CVE-2021-31226 (CVSS score: 9.1)
- CVE-2020-25927 (CVSS score: 8.2)
- CVE-2020-25767 (CVSS score: 7.5)
- CVE-2021-31227 (CVSS score: 7.5)
- CVE-2021-31400 (CVSS score: 7.5)
- CVE-2021-31401 (CVSS score: 7.5)
- CVE-2020-35683 (CVSS score: 7.5)
- CVE-2020-35684 (CVSS score: 7.5)
- CVE-2020-35685 (CVSS score: 7.5)
- CVE-2021-27565 (CVSS score: 7.5)
- CVE-2021-36762 (CVSS score: 7.5)
- CVE-2020-25926 (CVSS score: 4.0)
- CVE-2021-31228 (CVSS score: 4.0)
A software patch that has addressed the flaws has been released by HCC Embedded. To provide complete protection against INFRA:HALT, an immediate patching of the susceptible equipment is required. However, researchers are concerned that this is difficult owing to the extensive structure of the supply chain and the criticality of Operational Technology devices that are vulnerable.
An open-source script that detects devices using NicheStack through active fingerprinting is available as an additional mitigation measure. A segmentation control and network traffic monitoring is also strongly recommended for minimizing the possibility of network-based attacks. A firewall is also required to identify potentially malicious packets and reduce the danger coming from vulnerable devices.