[TheRecord] INFRA:HALT vulnerabilities affect OT devices from more than 200 vendors

Security researchers have disclosed today 14 vulnerabilities that impact a popular TCP/IP library commonly used in industrial equipment and Operational Technology (OT) devices manufactured by more than 200 vendors.

Collectively referred to as INFRA:HALT, the 14 vulnerabilities have been found as part of a joint research effort by the security teams at Forescout and JFrog.

Project Memoria, phase III

According to a report published today, the vulnerabilities affect NicheStack, a small C library provided by HCC Embedded that can be added to a device’s firmware and allow it to support internet connectivity and other networking functions.

Also known as a “TCP/IP stack,” these types of libraries are common in almost all devices; however, their code has hardly been reviewed in decades for security flaws.

In 2019, after the discovery of the URGENT/11 and Ripple20 vulnerabilities impacting common TCP/IP stacks, the Forescout team launched Project Memoria as a dedicated research operation to look into the security of all of today’s most popular TCP/IP stacks.

The INFRA:HALT bugs announced today are the project’s third set of bugs after Amnesia:33 and NUMBER:JACK.

But while the previous two research efforts focused on more common TCP/IP stacks used with routers, IoT devices, or web servers, this time around, the Forescout and JFrog teams had their sights on a library used for adding internet connectivity to industrial equipment typically found in factories, mines, pipelines, water treatment facilities, and other critical infrastructure working points.

“The new vulnerabilities allow for remote code execution, denial of service, information leak, TCP spoofing, or DNS cache poisoning,” researchers explained.

A full list of the bugs, along with descriptions, is available below:

Image: Forescout

More than 6,400 OT devices are exposed online

To exploit any of the INFRA:HALT vulnerabilities, a threat actor would first need to gain access to a company’s internal network and not just its office network but its OT section, a separate network where all industrial equipment is recommended to be installed.

However, while the bulk of companies typically know how to safeguard their OT networks, this doesn’t mean that some don’t intentionally or accidentally expose industrial equipment online.

Around 6,400 OT devices were found connected to the internet in March this year when the Forescout and JFrog teams discovered the INFRA:HALT vulnerabilities.

Image: Forescout

These devices are now vulnerable to attacks, and especially to attacks exploiting the CVE-2020-25928 and CVE-2021-31226 bugs that could allow attackers to take full control over a device remotely.

The good news for the more than 200 device vendors that use NicheStack is that HCC Embedded has prepared patches to address all issues.

The bad news is that by the time these patches make it into a firmware update and then the firmware is deployed on devices in the field, threat actors could have already exploited the INFRA:HALT issues to damage devices or even hinder OT operations.

Companies interested in finding if they use devices that run on the NicheStack TCP/IP stack, or other TCP/IP stacks previously identified as vulnerable in earlier research, can use Forescout’s Project Amnesia scanner, available on GitHub.

The post INFRA:HALT vulnerabilities affect OT devices from more than 200 vendors appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Google reports new highs for governments requesting content to be removed

All posts, ZDNet

Both the number of requests, and the number of items asked to be removed have hit new highs, according to Google. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SANS ISC] ISC Stormcast For Monday, September 27th, 2021 https://isc.sans.edu/podcastdetail.html?id=7688, (Mon, Sep 27th)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

Daily NCSC-FI news followup 2020-04-21

FBI warns of COVID-19 phishing targeting US health providers www.bleepingcomputer.com/news/security/fbi-warns-of-covid-19-phishing-targeting-us-health-providers/ The U.S. Federal Bureau of Investigation (FBI) today warned of ongoing phishing campaigns targeting US healthcare providers using COVID-19 themed lures to distribute malicious attachments. 2, 000 coronavirus scammers taken offline in major phishing crackdown www.zdnet.com/article/2000-coronavirus-scammers-taken-offline-in-major-phishing-crackdown/ And now cybersecurity authorities want your help with spotting […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.