Security Experts:

Connect with us

Hi, what are you looking for?



ICS Vendors Assess Impact of INFRA:HALT Vulnerabilities

Several major industrial control system (ICS) vendors have issued security advisories in response to the discovery of the NicheStack vulnerabilities collectively tracked as INFRA:HALT.

Several major industrial control system (ICS) vendors have issued security advisories in response to the discovery of the NicheStack vulnerabilities collectively tracked as INFRA:HALT.

Forescout Research Labs and JFrog Security Research found a total of 14 vulnerabilities in NicheStack, a TCP/IP stack used by many operational technology (OT) vendors. The flaws, a majority of which have been assigned critical and high severity ratings, can be exploited for remote code execution, denial of service (DoS) attacks, obtaining information, TCP spoofing, and DNS cache poisoning.

In an attack scenario described by the researchers, the attacker remotely exploits one of the INFRA:HALT vulnerabilities to crash a programmable logic controller (PLC) and disrupt the associated physical process.

Some websites suggest that as many as 200 companies could be using NicheStack in their products, and a Shodan search showed thousands of internet-exposed devices that could be vulnerable to attacks.

HDD Embedded, which acquired NicheStack in 2016, was informed about the vulnerabilities in September 2020 and released patches in May 2021.

Major ICS vendors and other organizations have released advisories in response to the discovery and disclosure of the INFRA:HALT vulnerabilities. This includes the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Germany’s [email protected], and the CERT Coordination Center at Carnegie Mellon University. Each of the vendors that have confirmed being impacted have released advisories describing impact on their products.

Schneider Electric

Schneider Electric said its Lexium motion control drives are affected by five of the NicheStack flaws that can be exploited for DoS attacks. The company is working on a remediation plan for all future versions of the impacted products. In the meantime, it had advised customers to reduce the risk of exploitation by restricting network access to the affected devices.


Siemens said some of its SENTRON low voltage products are affected by four of the 14 INFRA:HALT vulnerabilities. SENTRON products are impacted by DoS and TCP spoofing issues.

Siemens has released updates for each of the affected products to patch these vulnerabilities. Customers have been advised to update their devices to the latest version.

Rockwell Automation (login required)

Rockwell Automation said its 20-COMM-ER EtherNet/IP adapter is impacted by a majority of the NicheStack vulnerabilities, and the ArmorStart distributed motor controller is impacted by nine flaws, a majority of which can be exploited for DoS attacks. 1715-AENTR EtherNet/IP adapters, AADvance safety controllers, and AADvance Eurocard controllers are impacted by five DoS vulnerabilities.

Rockwell has yet to release any updates to address these vulnerabilities, but it does plan on patching them. In the meantime, customers are encouraged to implement mitigations to reduce the risk of exploitation.

Phoenix Contact

Phoenix Contact said six of the INFRA:HALT vulnerabilities impact its LC1x0, ILC1x1 and AXC 1050 industrial controllers, as well as its CHARX programmable charging controller for electric vehicles. The company said an attacker can exploit the vulnerabilities for DoS attacks and to “breach the integrity” of a PLC by sending specially crafted packets.

Phoenix Contact has advised customers to ensure that the impacted controllers operate in closed networks and are protected by firewalls.

Related: ICS Vendors Address Vulnerabilities Affecting Widely Used Licensing Product

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Related: Industrial Giants Respond to ‘Urgent/11’ Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.