Security Experts:

Connect with us

Hi, what are you looking for?



ICS Vendors Assess Impact of INFRA:HALT Vulnerabilities

Several major industrial control system (ICS) vendors have issued security advisories in response to the discovery of the NicheStack vulnerabilities collectively tracked as INFRA:HALT.

Several major industrial control system (ICS) vendors have issued security advisories in response to the discovery of the NicheStack vulnerabilities collectively tracked as INFRA:HALT.

Forescout Research Labs and JFrog Security Research found a total of 14 vulnerabilities in NicheStack, a TCP/IP stack used by many operational technology (OT) vendors. The flaws, a majority of which have been assigned critical and high severity ratings, can be exploited for remote code execution, denial of service (DoS) attacks, obtaining information, TCP spoofing, and DNS cache poisoning.

In an attack scenario described by the researchers, the attacker remotely exploits one of the INFRA:HALT vulnerabilities to crash a programmable logic controller (PLC) and disrupt the associated physical process.

Some websites suggest that as many as 200 companies could be using NicheStack in their products, and a Shodan search showed thousands of internet-exposed devices that could be vulnerable to attacks.

HDD Embedded, which acquired NicheStack in 2016, was informed about the vulnerabilities in September 2020 and released patches in May 2021.

Major ICS vendors and other organizations have released advisories in response to the discovery and disclosure of the INFRA:HALT vulnerabilities. This includes the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Germany’s [email protected], and the CERT Coordination Center at Carnegie Mellon University. Each of the vendors that have confirmed being impacted have released advisories describing impact on their products.

Schneider Electric

Schneider Electric said its Lexium motion control drives are affected by five of the NicheStack flaws that can be exploited for DoS attacks. The company is working on a remediation plan for all future versions of the impacted products. In the meantime, it had advised customers to reduce the risk of exploitation by restricting network access to the affected devices.


Siemens said some of its SENTRON low voltage products are affected by four of the 14 INFRA:HALT vulnerabilities. SENTRON products are impacted by DoS and TCP spoofing issues.

Siemens has released updates for each of the affected products to patch these vulnerabilities. Customers have been advised to update their devices to the latest version.

Rockwell Automation (login required)

Rockwell Automation said its 20-COMM-ER EtherNet/IP adapter is impacted by a majority of the NicheStack vulnerabilities, and the ArmorStart distributed motor controller is impacted by nine flaws, a majority of which can be exploited for DoS attacks. 1715-AENTR EtherNet/IP adapters, AADvance safety controllers, and AADvance Eurocard controllers are impacted by five DoS vulnerabilities.

Rockwell has yet to release any updates to address these vulnerabilities, but it does plan on patching them. In the meantime, customers are encouraged to implement mitigations to reduce the risk of exploitation.

Phoenix Contact

Phoenix Contact said six of the INFRA:HALT vulnerabilities impact its LC1x0, ILC1x1 and AXC 1050 industrial controllers, as well as its CHARX programmable charging controller for electric vehicles. The company said an attacker can exploit the vulnerabilities for DoS attacks and to “breach the integrity” of a PLC by sending specially crafted packets.

Phoenix Contact has advised customers to ensure that the impacted controllers operate in closed networks and are protected by firewalls.

Related: ICS Vendors Address Vulnerabilities Affecting Widely Used Licensing Product

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Related: Industrial Giants Respond to ‘Urgent/11’ Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.