INFRA: HALT: New weak points discovered in the TCP / IP stack of industrial devices

A research team from Forescout, which has been searching TCP / IP stacks for devices from the Internet of Things (IoT) and Operational Technology (OT) areas for security problems for a long time, has published a new collection of vulnerabilities in collaboration with JFrog. INFRA: HALT includes 14 vulnerabilities in the NicheStack, a TCP / IP stack that, according to the researchers, is used in millions of programmable logic controllers (PLCs) – for example “in production plants, in power generation, transmission and distribution, in water treatment and in other critical infrastructure areas “.

Among other things, Siemens uses NicheStack, also known as InterNiche, in its S7-PLC series. An overview of other well-known device manufacturers who use or have used NicheStack can be found on the former InterNiche website (here in a snapshot from October 2020) – Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation and Schneider Electric are named there.

Two of the INFRA: HALT vulnerabilities were rated with CVSS scores 9.8 and 9.1 out of a possible 10 and thus classified as critical. These are CVE-2020-25928 in the DNSv4 client and CVE-2021-31226 in the HTTP server component of the stack. Both could be misused due to faulty checking mechanisms when parsing received data packets in order to execute remote code execution on vulnerable devices using specially prepared traffic code (remote code execution) and, in the worst case, to take it over completely.

Many of the other vulnerabilities – ten of them with a “high” rating and two with a “medium” rating – are based on errors in parsing and processing incoming data. Possible consequences of successful attacks can be denial-of-service states, unauthorized access to information, TCP spoofing, i.e. the establishment of connections with a falsified sender address, and DNS cache poisoning for the targeted redirection of data traffic.

In practice, the actual vulnerability depends heavily on the individual network and device configuration as well as the isolation of the OT systems from the rest of the infrastructure and especially the Internet. One Searching for “InterNiche Technologies Webserver” with the IoT search engine Shodan currently returns over 6800 results back – servers that run NicheStack and that can be accessed via the Internet.

Further details on the vulnerabilities including a sample attack scenario are available in a detailed report on INFRA: HALT refer to. A Blog entry about INFRA: HALT by JFrog clearly lists the vulnerabilities and links them to the security advisories of HCC Embedded, the company that NicheStack has been (further) developing since 2016.

HCC Embedded has the weak points in NicheStack Version 4.3 eliminated; According to the researchers, all previous versions including NicheLite were vulnerable. It is now the responsibility of the device manufacturers who use the stack to incorporate the available patches into device-specific updates. Operators of potentially affected devices can use the CVE IDs for INFRA: HALT to look out or request updates.

Since the subsequent update process within critical infrastructures is not always possible in a timely manner, Forescout and JFrog also provide recommendations for action to minimize risks in their publications. Among other things, a special one helps Open source script from Forescoutto find vulnerable devices on the network. The script, which was developed as part of the “Memoria” research project, also includes the detection of earlier collections of forescout vulnerabilities such as Amnesia: 33 and most recently NUMBER: JACK.

JFrog’s table summarizes CVE IDs, affected components and recommended actions.

(Image: JFrog /


To home page