INFRA:HALT – New NicheStack Vulnerabilities Affecting Critical OT Devices

By Anthony Eich on December 18, 2021

(By: Anthony Eich on October 21, 2021)

Executive Summary

NicheStack is a proprietary Internet Protocol version 4 (IPv4) network layer that is used in embedded operating systems in industrial control devices (ICS) [7]. It allows for communication over the internet to control devices that are part of larger industrial systems, such as a heating, ventilation, and air conditioning (HVAC) system. INFRA:HALT is set of vulnerabilities that specifically affect devices that use the NicheStack network layer. There are more than 40 of these exploits currently published by the MITRE Corporation on their cve.mitre.org website [3]. Attackers that are knowledgeable of these vulnerabilities and also have access to the network that any of these devices are operating on, can use this knowledge to execute code remotely that can cause system failures leading to damages with financial implications. Researchers at Forescout Research Labs have been working to find these vulnerabilities and make system owners aware so that patches can be performed, and other security steps can be taken to mitigate the risks that have been identified [2].

Background

INFRA:HALT is the name given to a group of security vulnerabilities that affect the NicheStack Transmission Control Protocol/Internet Protocol (TCP/IP) stack typically used by industrial control system (ICS) vendors. The stack is usually embedded on real time operating systems (RTOP) to allow for access and control of the devices via the Internet. Forescout Research Labs in partnership with JFrog Security Research have recently reports on 14 severe vulnerabilities [2]. The group of bugs can be exploited to allow attacks such as remote code execution (RCE), denial of service (DoS), TCP spoofing, and domain name server (DNS) poisoning. While most of these vulnerabilities are critical and can be used to cause major disruptions, two of the critical vulnerability exploits (CVE) are especially dangerous with Common Vulnerability Scoring System (CVSS) scores of 9.8 respectively [4][5].

Impact

Of the fourteen vulnerabilities published in this most recent release, the two that may have the most significant impact are CVE-2020-25928 and CVE-2021-31226. The first, CVE-2020-25928 with a CVSS of 9.8, can be used to remotely shut down a system or a specific mechanism in a larger device through code injection. The Forescout researchers demonstrated how to exploit this vulnerability using a Kali Linux operating system as the means of deployment in a video uploaded to YouTube which can be viewed here:

 

In the video, a forged DNS response packet is sent to the vulnerable device. The packet includes a shellcode that when executed, sends malicious code to the programmable logic controller (PLC) causing the component to shut down; in this case, a fan that represents a vital component of an air conditioning system for a datacenter. In order to bring the system back online, a physical reset of the switch was required.

The second most destructive vulnerability found, CVE-2021-31226 also with a CVSS score of 9.8, is a heap buffer overflow. Heap buffer overflows are similar to the more commonly known stack buffer overflows but differ in that the heap memory is allocated dynamically at runtime.  When data is written to the heap that exceeds the memory allocation, it can cause various errors that can allow exploits such as code injection. This particular INFRA:HALT vulnerability can be exploited by crafting a hyper-text transfer protocol (HTTP) POST request that causes the overflow. The reason that this is exploitable is because there is no data size validation in the code, so the POST request can be crafted to be of a size that is sufficient to cause the buffer overflow [6].

Significance

With these latest exploits in the wild, any industrial systems that are currently employing these devices are vulnerable to attack. That means that a cyber attacker can cause major damages by exploiting these bugs. In order to mitigate the likelihood of such an event, the Center for Internet Security has released the following recommendations [1]:

  • Run all software as a nonprivileged user with minimal access rights. To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
  • Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
  • Do not accept or execute files from untrusted or unknown sources.
  • To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.
  • Implement multiple redundant layers of security. Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.

NicheStack is used in products produced by over 200 Industrial Control Systems vendors worldwide [8]. With such a widely used protocol, with a highly susceptible exploitation footprint, it is imperative that owners deploy these methodologies as soon as possible to prevent losses.

References

[1] CIS. (2021, 8 8). Multiple Vulnerabilities in NicheStack Could Allow for Remote Code Execution. Retrieved from cisecurity.org: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-nichestack-could-allow-for-remote-code-execution/

[2] Ilascu, I. (2021, 8 4). INFRA:HALT security bugs impact critical industrial control devices. Retrieved 10 7, 2021, from bleepingcomputer.com: https://www.bleepingcomputer.com/news/security/infra-halt-security-bugs-impact-critical-industrial-control-devices/

[3] Kovacs, E. (2021, 9 15). ICS Patch Tuesday: Siemens, Schneider Electric Address Over 40 Vulnerabilities. Retrieved 10 7, 2021, from SecurityWeek: https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-over-40-vulnerabilities

[4] NVD. (2021, 8 26). CVE-2020-25928 Detail. Retrieved 10 7, 2021, from NATIONAL VULNERABILITY DATABASE: https://nvd.nist.gov/vuln/detail/CVE-2020-25928

[5] NVD. (2021, 8 25). CVE-2021-31226 Detail. Retrieved 10 7, 2021, from NATIONAL VULNERABILITY DATABASE: https://nvd.nist.gov/vuln/detail/CVE-2021-31226

[6] ViperEye. (2013, 6 26). Heap overflow: Vulnerability and heap internals explained. Retrieved 10 7, 2021, from infosecinstitute.com: https://resources.infosecinstitute.com/topic/heap-overflow-vulnerability-and-heap-internals-explained/

[7] Wikipedia. (n.d.). NicheStack TCP/IPv4. Retrieved 10 7, 2021, from Wikipedia: https://en.wikipedia.org/wiki/NicheStack_TCP/IPv4

[8] Zorz, Z. (2021, 8 4). Vulnerable TCP/IP stack is used by almost 200 device vendors. Retrieved 10 7, 2021, from helpnetsecurity.com: https://www.helpnetsecurity.com/2021/08/04/vulnerabilities-nichestack/