Numerous industrial control devices at risk due to critical flaws in embedded TCP/IP stacks

The INFRA:HALT vulnerabilities

14 vulnerabilities affecting a widely used TCP/IP stack were disclosed to the public on Wednesday. Codenamed “INFRA:HALT” , the flaws put at risk millions of Operation Technology devices in industries like water treatment, infrastructure, power generation and manufacturing.


A TCP/IP stack is a closed-source NicheStack (also known as InterNiche stack) that is designed to provide internet connectivity to industrial equipment. This NicheStack is embedded in the systems and the products of prominent industrial automation vendors like Schneider Electric, Siemens, Mitsubishi Electric, Rockwell Automation, Emerson, and other leading companies.

According to the available information, the “INFRA:HALT” vulnerabilities found in the TCP/IP stack, if exploited, would allow an attacker to run arbitrary code, steal data, and perform attacks such as denial of service, TCP spoofing and DNS cache poisoning.  

Researchers from Forescout and JFrog stated in a joint report that attackers who abuse the listed vulnerabilities might damage a building’s HVAC system or take over the controls used in manufacturing and other critical infrastructure. Successful attacks may result in the loss of network access, as well as system and Operational Technology device control where a hijacked device may spread malware to where it communicates on the network, in what is known as a network-borne infection.

As of March 2021, around 6,400 Operational Techonology devices, most of which are situated in Canada, the U.S., Spain, Sweden, and Italy are exposed online, and are vulnerable to INFRA:HALT. As per the report, versions of NicheSTack older than the latest 4.3 version are at risk of being exploited.

Here is a list of the 14 INFRA:HALT flaws:  

  • CVE-2020-25928 (CVSS score: 9.8)
  • CVE-2021-31226 (CVSS score: 9.1)
  • CVE-2020-25927 (CVSS score: 8.2)
  • CVE-2020-25767 (CVSS score: 7.5)
  • CVE-2021-31227 (CVSS score: 7.5)
  • CVE-2021-31400 (CVSS score: 7.5)
  • CVE-2021-31401 (CVSS score: 7.5)
  • CVE-2020-35683 (CVSS score: 7.5)
  • CVE-2020-35684 (CVSS score: 7.5)
  • CVE-2020-35685 (CVSS score: 7.5)
  • CVE-2021-27565 (CVSS score: 7.5)
  • CVE-2021-36762 (CVSS score: 7.5)
  • CVE-2020-25926 (CVSS score: 4.0)
  • CVE-2021-31228 (CVSS score: 4.0)

A software patch that has addressed the flaws has been released by HCC Embedded. To provide complete protection against INFRA:HALT, an immediate patching of the susceptible equipment is required. However, researchers are concerned that this is difficult owing to the extensive structure of the supply chain and the criticality of Operational Technology devices that are vulnerable.

An open-source script that detects devices using NicheStack through active fingerprinting is available as an additional mitigation measure. A segmentation control and network traffic monitoring is also strongly recommended for minimizing the possibility of network-based attacks. A firewall is also required to identify potentially malicious packets and reduce the danger coming from vulnerable devices.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment