Connect with us

Hi, what are you looking for?



Vulnerabilities in NicheStack TCP/IP Stack Affect Many OT Device Vendors

Researchers have identified more than a dozen vulnerabilities in the NicheStack TCP/IP stack, which appears to be used by many operational technology (OT) vendors. The vulnerabilities are collectively tracked as ​​INFRA:HALT.

Researchers have identified more than a dozen vulnerabilities in the NicheStack TCP/IP stack, which appears to be used by many operational technology (OT) vendors. The vulnerabilities are collectively tracked as ​​INFRA:HALT.

The security holes, discovered by researchers from ​​Forescout Research Labs and JFrog Security Research, can be exploited by an attacker for remote code execution, denial-of-service (DoS) attacks, information leaks, TCP spoofing, and DNS cache poisoning. Of the 14 flaws, two have been rated critical and 10 have been assigned a high severity rating.

In one theoretical attack scenario described by ​​Forescout and JFrog, an external attacker uses an internet-exposed device running NicheStack to infiltrate the targeted network.

The attacker uses one of the critical INFRA:HALT vulnerabilities that can be exploited by sending specially crafted DNS requests. The malicious DNS request contains shellcode that instructs the first device to send a malicious FTP packet to a second device on the network — a programmable logic controller (PLC) in this example — and cause it to crash. The PLC crash causes the disruption of the physical process associated with the controller.


A search conducted using the Shodan search engine showed more than 6,400 internet-connected devices running NicheStack, including more than 4,000 in North America. Forescout’s own Device Cloud knowledge base showed over 2,500 devices from 21 vendors. Many of these devices are industrial control systems (ICS), and the highest number of vulnerable systems were seen in the discrete manufacturing, process manufacturing, and retail sectors.

Daniel dos Santos, research manager at Forescout, told SecurityWeek that the company saw many affected power meters in Device Cloud. He also noted that in addition to the internet-exposed devices affected by the INFRA:HALT flaws, there are also likely many vulnerable systems that are only accessible from the local network.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

NicheStack, also known as InterNiche, is a TCP/IP stack that was originally developed by InterNiche Technologies and acquired in 2016 by HCC Embedded. TCP/IP stacks enable vendors to implement basic network communications for IP-connected systems, including IT, OT and IoT devices.

Advertisement. Scroll to continue reading.

NicheStack has been around for nearly two decades and versions of the product have been distributed by semiconductor vendors such as Altera (Intel), NXP (Freescale), Texas Instruments (Luminary), and STMicroelectronics. NicheStack has also been used as a foundation for other TCP/IP stacks.

A legacy InterNiche website lists roughly 200 companies that — at least at some point — used NicheStack, including major industrial automation companies such as Siemens, Schneider Electric, Rockwell Automation, Honeywell, Emerson and Mitsubishi Electric.

HCC Embedded was informed about the vulnerabilities in September 2020 and it patched them in May 2021 with the release of version 4.3, which is available upon request from the company’s security support team. HCC has advised anyone using NicheStack to review its security advisories and update the vulnerable software in their products.

Some of the impacted vendors have posted links to HCC’s advisories and others will likely post their own advisories in the upcoming period. On the other hand, Forescout and JFrog said many of the vendors they have contacted have yet to share information on whether their products are impacted.

This is not the first time researchers have identified potentially serious vulnerabilities in TCP/IP stacks. Previously discovered issues include AMNESIA:33, NAME:WRECK and NUMBER:JACK.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.