The researchers discovered 14 flaws in the commonly-used TCP/IP stack that affect millions of industrial Operational Technology (OT) devices. The flaws impact devices manufactured by over 200 vendors and deployed in manufacturing plants and critical infrastructure sectors in Europe and North America.
Codenamed “INFRA:HALT,” the bugs allow an attacker to execute arbitrary code on a vulnerable server. It could also enable an attacker to expose sensitive information or perform other dangerous activities like DoS, TCP spoofing, and even DNS cache poisoning.
The bugs are found in NicheStack (or InterNiche stack) which is a closed-source TCP/IP stack that simplifies the management of internet connectivity in embedded systems. It is used by major industrial automation companies like Schneider Electric, Siemens, and Honeywell in their programmable logic controllers (PLCs).
“Attackers could disrupt a building’s HVAC system or take over the controllers used in manufacturing and other critical infrastructure,” researchers from JFrog and Forescout said in a joint report.
“Successful attacks can result in taking OT and ICS devices offline and having their logic hijacked. Hijacked devices can spread malware to where they communicate on the network.”
Versions of the NicheStack before 4.3 are vulnerable to INFRA:HALT, which could expose over 6,400 OT devices currently connected to the Internet.
The latest security issues disclosed by researchers are the sixth time that critical issues have been found in protocol stacks.
This issue is the fourth set of bugs that were discovered as part of Project Memoria, which is a large-scale study on the security of various popular TCP/IP stacks: URGENT/11, Ripple20, AMNESIA:33, NUMBER:JACK, and NAME:WRECK.
While patches have been released by CHCC Embedded, the responsible maintainer, to address the issues, it may take a while for device manufacturers to release updated firmware for their customers.
“Complete protection against INFRA:HALT requires patching vulnerable devices but is challenging due to supply chain logistics and the critical nature of OT devices,” the researchers noted.
In addition, Forescout security company offers a script that uses Active Fingerprinting to detect devices that run NicheStack. Experts also recommended enforcing network traffic segmentation controls to prevent exploitation.