14 Security Vulnerabilities in the NicheStack TCP/IP Stack

Forescout Research Labs and JFrog security researchers discovered 14 security vulnerabilities affecting the NicheStack TCP/IP stack, named INFRA:HALT. Attackers can exploit these vulnerabilities to achieve remote code execution, DoS, information disclosure, TCP spoofing, and DNS cache poisoning.

NicheStack is a common OT device found in many critical infrastructure units, so most OT device vendors are affected by these vulnerabilities.

INFRA:HALT Vulnerability

These 14 vulnerabilities include remote code execution vulnerabilities, DoS, information disclosure, TCP spoofing, etc., affecting modules such as DNSv4, HTTP, TCP, and ICMP, and 2 of them have a CVSS score of more than 9 points.

CVE-2020-25928

This vulnerability is a security vulnerability caused by not checking the response data length field when analyzing the DNS response without checking the response data length field when analyzing the DNS response. It may cause OOB-R/W. It is a remote code execution vulnerability that affects the DNSv4 module and CVSS score. 9.8 points.

CVE-2021-31226

This vulnerability is a heap buffer overflow vulnerability caused by failure to perform size verification when analyzing HTTP POST requests. It is a remote code execution vulnerability that affects HTTP modules and has a CVSS score of 9.1.

CVE-2020-25767

The vulnerability is that when analyzing the DNS domain name, it does not check whether the compression pointer points to the packet boundary, which may cause OOB-R, and eventually lead to DoS attacks and information leakage. The vulnerability has a CVSS score of 7.5 and affects the DNSv4 module.

CVE-2020-25927

This vulnerability is a security problem caused by not checking whether the specific query or response number in the packet header is consistent with the query or response in the DNS packet when analyzing the DNS response, which may lead to DoS attacks, with a CVSS score of 8.2.

CVE-2021-31227

This vulnerability is a buffer overflow vulnerability caused by incorrect signature integer comparison when analyzing HTTP POST requests, which may lead to DoS attacks and affect HTTP modules, with a CVSS score of 7.5.

CVE-2021-31400

The TCP out-of-band emergency data processing function will call a panic function when the end pointer of the out-of-band emergency data points to the data outside the TCP packet. If the panic function does not remove the trap call, it will cause an infinite loop and eventually lead to a DoS attack. This vulnerability affects the TCP module and has a CVSS score of 7.5 points.

CVE-2021-31401

The length of the IP length (header + data) is not handled by the TCP header handling code. If an attacker forges an IP packet, an integer overflow may occur, because the length of the IP data is calculated by subtracting the length of the header from the length of the entire IP packet. The vulnerability affects the TCP module and has a CVSS score of 7.5.

CVE-2020-35683

The code that handles the ICMP packets relies on the IP payload size to calculate the ICMP checksum, but the IP payload size is not checked. When the set value of the IP payload size is smaller than the IP header size, the calculation function of the ICMP checksum may read out of bounds, causing a DoS attack. The vulnerability affects the ICMP module and has a CVSS score of 7.5.

CVE-2020-35684

Code that handles TCP packets relies on the IP payload size to calculate the length of the TCP payload. When the set value of the IP payload size is smaller than the IP header size, the calculation function of the ICMP checksum may read out of bounds, causing a DoS attack. The vulnerability affects the TCP module and has a CVSS score of 7.5.

CVE-2020-3568

The vulnerability is due to the fact that the TCP ISN is generated in a predictable manner. The vulnerability may cause TCP spoofing and affect the TCP module, with a CVSS score of 7.5.

CVE-2021-27565

panic is called when an unknown HTTP request is received. The vulnerability can lead to DoS attacks, and the vulnerability affects the HTTP module, with a CVSS score of 7.5.

CVE-2021-36762

The TFTP packet processing function cannot ensure whether the file name is a non-terminator, so calling strlen() afterwards may cause the protocol packet cache to be out of bounds, causing a DoS attack. The vulnerability affects the TFTP module and has a CVSS score of 7.5.

CVE-2020-25926

This vulnerability is caused by the DNS client not setting enough random transaction IDs, which may lead to DNS cache poisoning attacks. The vulnerability affects the DNSv4 module, with a CVSS score of 4.

CVE-2021-31228

An attacker can predict the source port of a DNS query, and therefore can send a fake DNS request packet to be received by the DNS client as a valid response to the request, possibly triggering a DNS cache poisoning attack. The vulnerability affects the DNSv4 module, with a CVSS score of 4.

Vulnerability Impact

The vulnerability affects all versions of NicheStack prior to 4.3, including NicheLite. Most industrial automation companies around the world use the NicheStack TCP/IP protocol stack, so more than 200 equipment manufacturers are affected. The researchers queried Shodan and found that there are more than 6,400 device instances running the NicheStack protocol stack. 6360 of them run HTTP servers, and most of the others run FTP, SSH or Telnet.

Figure 1 Shodan query results

From an industry perspective, process manufacturing is the most affected, followed by retail and assembly manufacturing.

Figure 2 Industry distribution of devices running NicheStack

The Links:   NL10276AC30-04U NL12880BC20-07F