Connect with us

Hi, what are you looking for?



ICS Vendors Assess Impact of INFRA:HALT Vulnerabilities

Several major industrial control system (ICS) vendors have issued security advisories in response to the discovery of the NicheStack vulnerabilities collectively tracked as INFRA:HALT.

Several major industrial control system (ICS) vendors have issued security advisories in response to the discovery of the NicheStack vulnerabilities collectively tracked as INFRA:HALT.

Forescout Research Labs and JFrog Security Research found a total of 14 vulnerabilities in NicheStack, a TCP/IP stack used by many operational technology (OT) vendors. The flaws, a majority of which have been assigned critical and high severity ratings, can be exploited for remote code execution, denial of service (DoS) attacks, obtaining information, TCP spoofing, and DNS cache poisoning.

In an attack scenario described by the researchers, the attacker remotely exploits one of the INFRA:HALT vulnerabilities to crash a programmable logic controller (PLC) and disrupt the associated physical process.

Some websites suggest that as many as 200 companies could be using NicheStack in their products, and a Shodan search showed thousands of internet-exposed devices that could be vulnerable to attacks.

HDD Embedded, which acquired NicheStack in 2016, was informed about the vulnerabilities in September 2020 and released patches in May 2021.

Major ICS vendors and other organizations have released advisories in response to the discovery and disclosure of the INFRA:HALT vulnerabilities. This includes the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Germany’s CERT@VDE, and the CERT Coordination Center at Carnegie Mellon University. Each of the vendors that have confirmed being impacted have released advisories describing impact on their products.

Schneider Electric

Schneider Electric said its Lexium motion control drives are affected by five of the NicheStack flaws that can be exploited for DoS attacks. The company is working on a remediation plan for all future versions of the impacted products. In the meantime, it had advised customers to reduce the risk of exploitation by restricting network access to the affected devices.

Advertisement. Scroll to continue reading.


Siemens said some of its SENTRON low voltage products are affected by four of the 14 INFRA:HALT vulnerabilities. SENTRON products are impacted by DoS and TCP spoofing issues.

Siemens has released updates for each of the affected products to patch these vulnerabilities. Customers have been advised to update their devices to the latest version.

Rockwell Automation (login required)

Rockwell Automation said its 20-COMM-ER EtherNet/IP adapter is impacted by a majority of the NicheStack vulnerabilities, and the ArmorStart distributed motor controller is impacted by nine flaws, a majority of which can be exploited for DoS attacks. 1715-AENTR EtherNet/IP adapters, AADvance safety controllers, and AADvance Eurocard controllers are impacted by five DoS vulnerabilities.

Rockwell has yet to release any updates to address these vulnerabilities, but it does plan on patching them. In the meantime, customers are encouraged to implement mitigations to reduce the risk of exploitation.

Phoenix Contact

Phoenix Contact said six of the INFRA:HALT vulnerabilities impact its LC1x0, ILC1x1 and AXC 1050 industrial controllers, as well as its CHARX programmable charging controller for electric vehicles. The company said an attacker can exploit the vulnerabilities for DoS attacks and to “breach the integrity” of a PLC by sending specially crafted packets.

Phoenix Contact has advised customers to ensure that the impacted controllers operate in closed networks and are protected by firewalls.

Related: ICS Vendors Address Vulnerabilities Affecting Widely Used Licensing Product

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Related: Industrial Giants Respond to ‘Urgent/11’ Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...