INFRA:HALT flaws affect OT devices from hundreds of vendors

Today, security researchers from Forescout and JFrog announced 14 vulnerabilities in NicheStack referred to INFRA:HALT, a popular TCP/IP library used in industrial equipment and Operational Technology (OT) devices manufactured by over 200 vendors.



NicheStack (also known as InterNiche stack) is a proprietary TCP/IP stack developed by InterNiche Technologies and acquired by HCC Embedded in 2016.


Several devices in the Operational Technology (OT) and critical infrastructure space, including the popular Siemens S7 range of PLCs, use NicheStack.


“The new vulnerabilities allow for Remote Code Execution, Denial of Service, Information Leak, TCP Spoofing, or DNS Cache Poisoning.” states the report. “Forescout Research Labs and JFrog Security Research exploited two of the Remote Code Execution vulnerabilities in their lab and show the potential effects of a successful attack.”


A threat actor with access to an organization’s OT network could take advantage of the weakness.


The following is a list of vulnerabilities found by the experts:






“INFRA:HALT confirms earlier findings of Project Memoria, namely similar vulnerabilities appearing in different implementations, both open and closed source. In fact, INFRA:HALT includes examples of memory corruption like in
AMNESIA:33, weak ISN generation like in NUMBER:JACK and DNS vulnerabilities like in NAME:WRECK” continues the report.


The experts also provided an estimate of the INFRA:HALT vulnerabilities’ impact, which was based on the following sources:

InterNiche’s primary customers, which total over 200 device suppliers, are listed on a legacy website.

Shodan In March, roughly 6,400 OT devices were connected to the internet, according to queries. “Experts discovered almost 6,400 instances of devices running NicheStack (using the simple keyword “InterNiche”),” according to the report. The vast majority of the devices (6360) run an HTTP server (search for “InterNiche Technologies Webserver”), while the rest ran largely FTP (“Welcome to InterNiche embFtp server”), SSH (“SSH2.0-InternicheSSHServer (c)InterNiche”), or Telnet (“Welcome to InterNiche Telnet Server”) servers.”

Forescout Device Clout. Forescout Device Cloud is a database that contains data from more than 13 million devices that are monitored by Forescout appliances. Experts discovered over 2,500 device cases from 21 different vendors.


To resolve the INFRA:HALT concerns, HCC Embedded has provided firmware fixes.


The researchers also released Forescout’s Project Amnesia scanner, which allows businesses to see if the gadgets they use are vulnerable to these flaws.



You might also like:


Google Chrome won’t show secure website indicators: Report

DarkSide ransomware gang is back as BlackMatter operation

PwnedPiper flaws in PTS systems affect major US hospitals




Industrial Control Systems, INFRA:HALT, TCP/IP, Computer Securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyberattackcyberattackscybercrimecybercriminalscybersafe newscybersecuritycybersecurity newscybersecurity news nowcybersecurity news todaycyberupdatesdark webdata breachData leakGoogle Chrome security warningshacker newshacking newsinfosec newslatest cybersecurity news todayMalwareransomwarerecent ransomware attacksSecuritytech newstech updatesTechnologyVulnerabilityWeb Security