Considering that OT environments are increasingly in the crosshairs of attackers, the 14 vulnerabilities that JFrog and Forescout Research Labs recently discovered in NicheStack should make the likes of Siemens, Schneider Electric and Rockwell Automation take notice–and action.
Millions of programmable logic controllers (PLCs) and controllers from more than 200 device makers use NicheStack, a common, proprietary TCP/IP stack. NicheStack is employed in a wide array of critical infrastructure sectors globally like manufacturing plants, water treatment and power generation and transmission and distribution. It is the basis for numerous TCP/IP stacks and used by OEMS like Altera, Microchip, STMicroelectronics and Freescale.
“These vulnerabilities are very common in OT environments, as many major device vendors are listed as NicheStack customers,” said JFrog CTO Asaf Karas. “For instance, the stack is used in the Siemens S7 PLC, which is one of the most popular PLCs.”
The raft of flaws, dubbed INFRA:HALT, cover a wide gamut of threats–from remote code execution and denial of service (DoS) to TCP spoofing, information leak and DNS cache poisoning. The worst of the flaws, 2020-25928 and 2021-31226 logged CVSSv3.1 scores of 9.8 and 9.1, respectively.
At least for now, there’s a positive take: It seems adversaries have yet to stumble across the flaws. “We didn’t see any sign of exploitation,” said Karas.
He expressed surprise that the vulnerabilities had gone undiscovered. “The biggest surprise is that these kinds of vulnerabilities, that can be automatically detected, were not discovered for such a long time, especially given how critical they are and how common NicheStack is,” said Karas.
InterNiche Technologies has released patches for the vulnerabilities. Still, guarding against them is a thorny matter because, not surprisingly, patching across the supply chain is incredibly challenging from a logistics perspective and OT devices are critical in the environments that use them. So, while the best option for taking the teeth out of these flaws is upgrading to NicheStack v4.3, it might not be the route that many OT-driven businesses take.
There’s good news, though, for those stymied by patching. Forescout Research Labs offers an open source script that detects devices running NicheStack and which is upgraded constantly, JFrog said in a blog post. And the researchers recommend that companies confine and segment those vulnerable devices from the network until it’s feasible to patch. Of course, monitoring for malicious packets that might try to exploit these flaws is also critical.
Addressing these flaws is a necessity because the consequences can be untenable–adversaries could take over controllers that are used by critical infrastructure organizations, particularly manufacturing. “The greatest danger is remote code execution, allowing an attacker complete control on OT devices that could then be shut down or operate with unsafe parameters, leading to actual physical damage of the infrastructures they control or monitor,” said Karas. “This would be especially dangerous on internet-facing devices as the attacker can connect to them directly.”