ICS Vendors Assess Impact of INFRA:HALT Vulnerabilities

Several major industrial control system (ICS) vendors have issued security advisories in response to the discovery of the NicheStack vulnerabilities collectively tracked as INFRA:HALT.

Forescout Research Labs and JFrog Security Research found a total of 14 vulnerabilities in NicheStack, a TCP/IP stack used by many operational technology (OT) vendors. The flaws, a majority of which have been assigned critical and high severity ratings, can be exploited for remote code execution, denial of service (DoS) attacks, obtaining information, TCP spoofing, and DNS cache poisoning.

In an attack scenario described by the researchers, the attacker remotely exploits one of the INFRA:HALT vulnerabilities to crash a programmable logic controller (PLC) and disrupt the associated physical process.

Some websites suggest that as many as 200 companies could be using NicheStack in their products, and a Shodan search showed thousands of internet-exposed devices that could be vulnerable to attacks.

HDD Embedded, which acquired NicheStack in 2016, was informed about the vulnerabilities in September 2020 and released patches in May 2021.

Major ICS vendors and other organizations have released advisories in response to the discovery and disclosure of the INFRA:HALT vulnerabilities. This includes the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Germany’s [email protected], and the CERT Coordination Center at Carnegie Mellon University. Each of the vendors that have confirmed being impacted have released advisories describing impact on their products.

Schneider Electric

Schneider Electric said its Lexium motion control drives are affected by five of the NicheStack flaws that can be exploited for DoS attacks. The company is working on a remediation plan for all future versions of the impacted products. In the meantime, it had advised customers to reduce the risk of exploitation by restricting network access to the affected devices.

Siemens

Siemens said some of its SENTRON low voltage products are affected by four of the 14 INFRA:HALT vulnerabilities. SENTRON products are impacted by DoS and TCP spoofing issues.

Siemens has released updates for each of the affected products to patch these vulnerabilities. Customers have been advised to update their devices to the latest version.

Rockwell Automation (login required)

Rockwell Automation said its 20-COMM-ER EtherNet/IP adapter is impacted by a majority of the NicheStack vulnerabilities, and the ArmorStart distributed motor controller is impacted by nine flaws, a majority of which can be exploited for DoS attacks. 1715-AENTR EtherNet/IP adapters, AADvance safety controllers, and AADvance Eurocard controllers are impacted by five DoS vulnerabilities.

Rockwell has yet to release any updates to address these vulnerabilities, but it does plan on patching them. In the meantime, customers are encouraged to implement mitigations to reduce the risk of exploitation.

Phoenix Contact

Phoenix Contact said six of the INFRA:HALT vulnerabilities impact its LC1x0, ILC1x1 and AXC 1050 industrial controllers, as well as its CHARX programmable charging controller for electric vehicles. The company said an attacker can exploit the vulnerabilities for DoS attacks and to “breach the integrity” of a PLC by sending specially crafted packets.

Phoenix Contact has advised customers to ensure that the impacted controllers operate in closed networks and are protected by firewalls.

Related: ICS Vendors Address Vulnerabilities Affecting Widely Used Licensing Product

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Related: Industrial Giants Respond to ‘Urgent/11’ Vulnerabilities