INFRA:HALT, a set of 14 new vulnerabilities affecting the HCC-owned, closed source TCP/IP stack NicheStack, was disclosed on Wednesday by JFrog’s security research team (formerly Vdoo), together with Forescout Research Labs. NicheStack was originally developed by InterNiche Technologies and adopted across critical infrastructure sectors, including manufacturing plants, power generation/ transmission/ distribution systems, and water treatment units.
Critical infrastructure includes those systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those.
The vulnerabilities affect programmable logic controllers (PLCs) and other controllers made by over 200 device vendors, including industrial automation companies such as Siemens, Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation, and Schneider Electric, JFrog said in a blog post. The security flaws identified can enable remote code execution, denial of service, TCP spoofing, information leak, and DNS cache poisoning.
INFRA:HALT is the result of a combined effort by Forescout Research Labs and JFrog Security Research. Forescout Research Labs brought to the table the body of knowledge acquired while executing on Project Memoria, while JFrog Security Research provided its platform for automated binary analysis and extensive experience in embedded software security gained from the recent acquisition of Vdoo by JFrog.
INFRA:HALT confirms findings of the earlier study of similar vulnerabilities appearing in different implementations, both open and closed source. In fact, INFRA:HALT includes examples of memory corruption like in AMNESIA:33, weak ISN generation like in NUMBER:JACK, and DNS vulnerabilities like in NAME:WRECK. INFRA:HALT extends the community’s understanding of vulnerability patterns and issues related to IoT/OT software supply chains.
The Project Memoria initiative was launched by Forescout Research Labs in 2020 with the mission of providing the cybersecurity community with extensive information to date of TCP/IP stacks security. Under Project Memoria, Forescout researchers collaborate with industry peers, universities and research institutes to analyze common mistakes associated with vulnerabilities in TCP/IP stacks, identify the threats they pose to the extended enterprise, and determine best practices to mitigate the risk.
JFrog and Forescout chose to investigate NicheStack because of its known uses in the OT (operational technology) and critical infrastructure space, apart from the lack of previous public security research done on the stack. Out of the 14 vulnerabilities found, two security flaws have a ‘critical level’ CVSSv3.1 score, while the remaining ones have a ‘medium or high level’ rating.
As part of the INFRA:HALT research, JFrog and Forescout had access to two versions of NicheStack source code of v3 (publicly available via a website exposing the source files for an embedded project), and a binary version of v4.0.1 (publicly available via the legacy InterNiche website). In those versions, the researchers analyzed various stack components, including IPv4, TCP, UDP, HTTP, DHCPv4 Client and Server and DNSv4 Client.
The analysis was done by combining manual and automatic procedures, with the source code version being manually analyzed and fuzzed with libFuzzer, while the binary version was manually and automatically analyzed by JFrog Security Research, leveraging both static and dynamic proprietary techniques.
Complete protection against INFRA:HALT requires patching devices running the vulnerable versions of NicheStack. HCC Embedded has released its official patches and device vendors using this software should provide their own updates to customers.
Given that patching OT devices is notoriously difficult because of their mission-critical nature, JFrog and Forescout advised users to first discover and carry out an inventory of devices running NicheStack. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running NicheStack. The script is updated constantly with new signatures to follow the latest development of the research.
Organizations can also enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. They should also restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched. Users also can monitor progressive patches released by affected device vendors and devise a remediation plan for vulnerable asset inventory, balancing business risk and business continuity requirements.
Users have also been advised to monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible zero-days. Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators.
As with every supply chain vulnerability, identifying all impacted devices might require months or even years, leaving vulnerable assets exposed for a long time.
In the case of AMNESIA:33 vulnerabilities, publicly disclosed in December 2020, updates regarding affected devices were published in May this year, five months after the initial publication, and eight months after the initial notification to vendors. This is because identifying product lines that might include a vulnerable component, verifying if any product in the line is affected and providing a fix are lengthy, manual and difficult processes.
To facilitate this process, Forescout and JFrog shared the details of their findings about potentially affected vendors with CERT/CC, ICSCERT and BSI, which coordinated the disclosure with these vendors. The Forescout Device Cloud was used to identify devices that show some evidence of the presence of a vulnerable component.