At a time when cybersecurity attacks are swiftly increasing in volume, velocity, complexity, and potential impact, organizations managing critical operational technology (OT) – those which run massive energy grids, fuel lines, supply chains, transportation systems, factories, hospitals, and telecommunications networks – have emerged as a primary target. In fact, nine out of ten organizations reported in 2020 that they experienced an OT system intrusion within the past year, up from one out of five in 2019. In recent research, teams from Forescout Research Labs and JFrog Security Research found a set of 14 new vulnerabilities – which they’re collectively calling INFRA:HALT – impacting the NicheStack TCP/IP stack. These vulnerabilities could lead to heightened risks to technology managing critical infrastructure.
Hackers can exploit them to achieve remote code execution, denial of service, information leaks, TCP spoofing, and DNS cache poisoning. Of the 14 flaws, two are rated as "critical," and ten are rated as "high" for severity using the Common Vulnerability Scoring System (CVSS).
After querying an internal database of connected device data, we found more than 2,500 instances of devices running NicheStack from 21 vendors. Nearly one-half of the vulnerable devices are linked to energy and power industrial control systems (ICS), with one-quarter linked to voice over internet protocol (VoIP) providers and about one-fifth to networking operations.
NicheStack is a proprietary TCP/IP stack developed originally by InterNiche Technologies and acquired by HCC Embedded in 2016. TCP/IP stacks allow vendors to implement network communications for IP-connected systems, including OT. Forescout and JFrog have contacted HCC Embedded to send a notification of the vulnerabilities found. They have also been in contact with a number of vendors and agencies – including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) – to address the issues.
This latest research is part of a continuing initiative, Project Memoria, through which we collaborate with industry peers, universities, and research institutes to analyze common mistakes associated with vulnerabilities in TCP/IP stacks, identify the threats they pose to the extended enterprise, and determine best practices to mitigate the risk.
Given the possibly devastating consequences of an attack due to the vulnerabilities – consequences which could impact members of the public along with the targeted enterprise victims – we are recommending that network administrators at potentially affected organizations do the following to protect themselves:
- Identify devices running NicheStack. Forescout Research Labs released an open-source script that uses active fingerprinting to detect devices running NicheStack. The script is updated constantly with new signatures to follow the latest developments of our research.
- Patch devices running vulnerable versions of NicheStack. HCC Embedded has made its official patches available upon request. Device vendors using this software should provide their own updates to customers.
- Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Administrators should restrict external communication paths and contain vulnerable devices until they are successfully patched.
- Monitor progressive patches released by affected device vendors and devise a remediation plan for vulnerable asset inventories while balancing business risk and business continuity requirements. We are tracking vendor responses and patches on GitHub.
- Monitor all network traffic for malicious packets which try to exploit known vulnerabilities or possible zero days. Block anomalous and malformed traffic, or at least alert network operators to its presence.
Since the disclosure of INFRA:HALT on August 4th, we have seen security advisories from five major OT vendors that are affected: Phoenix Contact, Pilz, Rockwell Automation, Schneider Electric, and Siemens. We are certain there are more vendors with vulnerable products that either need time to investigate or are reluctant to publicly state they are affected – as in the recent QNX/BadAlloc case. This highlights how important it is for network administrators to not just passively wait for device vendors to post their security advisories. Instead, those administrators should proactively search their network for signs of the vulnerable stack – again, we recommend running the open-source fingerprinting script – and contact vendors to understand what they have to say about these vulnerabilities.
We also recommend network administrators and security teams work very closely in maintaining a complete asset inventory of the networks they are responsible for. This asset inventory should include not only device models and IP addresses but also versions of software they are running, VLANs they are connected to, user information, hardware information, and other data points.
Asset inventories can automatically be built and maintained with network visibility tools, and they are a great way to strengthen the relationship between network and security teams since they are useful for both. For instance, they help to understand the potential impact of network architecture changes and new policies as well as identify what devices are affected by newly disclosed vulnerabilities.
There have been devoted, considerable efforts to call attention to and address these vulnerabilities because the stakes are high. There are foreboding worst-case scenarios that very well could play out should cyber criminals exploit them to compromise OT systems: Hospitals may not be able to care for patients, including Covid victims. The lights could go out for entire cities.
That’s why our recommendations are more than “best practices” – they’re essential practices. We will continue to monitor and respond to INFRA:HALT and other TCP/IP stack issues in a proactive, transparent manner, in the interest of industries of all kinds and the public at large.
Daniel dos Santos is Research Manager at Forescout Technologies.