Analysis shows that "INFRA:HALT" series vulnerabilities mainly affect all versions before NicheStack 4.3, including NicheLite. Most industrial automation enterprises in the world use NicheStack TCP/IP protocol stack, and more than 200 equipment manufacturers are affected.
NicheStack, also known as InterNiche Stack, is a third-party closed-source TCP/IP protocol stack component for embedded systems. It aims to provide Internet access for industrial equipment, which is mainly deployed in equipment in manufacturing plants, power generation, water treatment and key infrastructure. Including Siemens, Emerson, Honeywell, mitsubishi electric, Rockwell Automation, Schneider Electric and other products, as well as many operating technology (OT) equipment in key infrastructure fields such as manufacturing, power generation and water treatment.
"INFRA:HALT" contains 14 security vulnerabilities.
The series of "INFRA:HALT" vulnerabilities mainly include remote code execution, DoS, information disclosure, TCP spoofing and other 14 vulnerabilities, which affect modules such as DNSv4, HTTP, TCP and ICMP, and the CVSS score of two vulnerabilities exceeds 9.
CVE-2020-25928: This vulnerability is a security vulnerability caused by not checking the response data length field when analyzing the DNS response, which may lead to OOB-R/W. It is a remote code execution vulnerability that affects the DNSv4 module, and the CVSS score is 9.8.
CVE- 202 1-3 1226: This vulnerability is a heap cache overflow vulnerability, and there is no size verification when analyzing HTTP POST requests. This is a remote code execution vulnerability that affects the HTTP module, and the CVSS score is 9. 1.
CVE-2020-25767: The vulnerability is that when analyzing DNS domain names, it fails to check whether the compression pointer is within the packet boundary, which may lead to OOB-R and eventually lead to DoS attacks and information disclosure. The vulnerability CVSS score is 7.5, which will affect the DNSv4 module.
CVE-2020-25927: This vulnerability is a security problem caused by not checking whether the specific query or response number in the header is consistent with the query or response number in the DNS packet when analyzing the DNS response, which may lead to a DoS attack. The CVSS score is 8.2.
CVE-202 1-3 1227: This vulnerability is a cache overflow vulnerability caused by incorrect signature integer comparison when analyzing HTTP POST requests, which may lead to DoS attacks and affect HTTP modules. The CVSS score is 7.5.
CVE-202 1-3 1400: When the end pointer of out-of-band emergency data points to data outside the TCP packet, the TCP out-of-band emergency data processing function will call a panic function. If the panic function does not delete the trap call, it will trigger an infinite loop and eventually lead to a DoS attack. This vulnerability will affect the TCP module, and the CVSS score is 7.5.
CVE-2021-31401:TCP header processing code does not deal with the length of IP (header+data). If an attacker forges an IP packet, it may cause integer overflow, because the length of IP data is calculated by subtracting the length of header from the length of all IP packets. The vulnerability will affect the TCP module, and the CVSS score is 7.5.
CVE-2020-35683: The code processing internet control message protocol depends on the size of IP payload to calculate ICMP checksum, but the size of IP payload is unchecked. When the set value of IP payload size is less than the set value of IP header, the calculation function of ICMP checksum may be read out of bounds, resulting in DoS attack. This vulnerability affects the ICMP module with a CVSS score of 7.5.
CVE- 2020-35684: The code for processing TCP packets calculates the length of TCP payload according to the size of IP payload. When the set value of IP payload size is less than the set value of IP header, the calculation function of ICMP checksum may be read out of bounds, resulting in DoS attack. This vulnerability will affect the TCP module, and the CVSS score is 7.5.
CVE- 2020-3568: This vulnerability is caused by generating TCP ISN in a predictable way. This vulnerability may lead to TCP spoofing and affect TCP modules, with a CVSS score of 7.5.
CVE- 202 1-27565: panic will be called when an unknown HTTP request is received. This vulnerability may lead to a DoS attack, and this vulnerability affects the HTTP module, with a CVSS score of 7.5.
CVE- 202 1-36762:TFTP packet handler can't guarantee whether the file name is a non-terminator, so calling strlen () later may lead to protocol packet buffer overflow and DoS attack. This vulnerability affects the TFTP module, and the CVSS score is 7.5.
CVE- 2020-25926: This vulnerability is caused by the DNS client not setting enough random transaction ID, which may lead to DNS cache poisoning attack. The vulnerability affects the DNSv4 module, and the CVSS score is 4.
CVE- 202 1-3 1228: An attacker can predict the source port of a DNS query, so he can send a forged DNS request packet for the DNS client to receive as an effective response to the request, which may trigger a DNS cache poisoning attack. The vulnerability affects the DNSv4 module, and the CVSS score is 4.
Industrial control manufacturers affected by "INFRA:HALT" vulnerability
According to the analysis of industrial control equipment in the whole network, it is found that the countries most seriously affected by the "INFRA:HALT" series loopholes are the United States, Canada, Spain and Sweden.
Siemens affected products:
Honeywell's affected products: the official has not released this series of vulnerability security announcements.
Schneider Electric has not provided any vulnerability repair patch at present, so it is suggested to reduce the risk of potential vulnerability attacks through security measures such as firewalls.
Honeywell's affected products: the official has not released this series of vulnerability security announcements.
Mitsubishi affected products: the official has not released this series of vulnerability security announcements.
Exploiting INFRA:HALT series vulnerabilities
According to a technical document disclosed by security researchers, there is a certain degree of technical description about the "INFRA:HALT" series of vulnerabilities, but the utilization procedures and POC based on this series of vulnerabilities have not been published.
The analysis shows that products using InterNiche protocol stack components are vulnerable to "INFRA:HALT" series vulnerabilities, and the affected services are mainly HTTP, FTP, TELNET and SSH. Query Shodan found that there are more than 6400 devices running NicheStack protocol stack. Among them, 6360 runs HTTP server, and most of them run FTP, SSH, Telnet and other services. These devices may be attacked by CVE-2020-25928 and CVE-202 1-3 1226 vulnerabilities, resulting in remote control of the devices.
Security researchers have also released open source detection scripts, which can help to detect whether the equipment system uses InterNiche protocol stack and its version information.
So far, HCC embedded company is ready to release the patch. However, before updating the firmware, attackers may have started to exploit the "INFRA:HALT" series of vulnerabilities to launch attacks. Therefore, the affected enterprises should check and monitor the usage of relevant equipment systems as soon as possible, prohibit relevant equipment from opening general network services such as HTTP, FTP, TELNET and SSH, or use network security products such as firewalls to filter related ports.
Top image ensures industrial safety
Top Image is a business security company with large-scale risk real-time computing technology as its core, aiming to help customers build an independent and controllable risk security system and achieve sustainable business growth. As an important technical support unit of CNNVD (National Information Security Vulnerability Database) and CICSVD (National Industrial Information Security Vulnerability Database), the champion was the sponsor and referee of "2020 National Industrial Internet Security Technology Skills Competition" sponsored by the Ministry of Industry and Information Technology, Ministry of Human Resources and Social Security, the Central Committee of the Communist Youth League and other departments, and won the honorary title of "Outstanding Contribution Award" issued by the organizers.
Based on years of security technology research and practical experience in business security attack and defense, Top Image has launched a set of industrial security intelligent protection system, which has the capabilities of vulnerability mining, unknown threat discovery, risk prediction and perception, threat deception and entrapment, active security defense, etc., and provides a security system covering the whole life cycle for petroleum and petrochemical, energy and electricity, rail transit, intelligent manufacturing and other industrial fields.
Through symbol execution and stain tracking analysis, combined with Top Image's unique artificial intelligence technology, the open source binary file vulnerability mining of X86, X86_64, ARM, MIPS and other mainstream architectures is realized, which can quickly locate various security vulnerabilities including memory overflow and overflow. Through the self-developed non-invasive and nondestructive intelligent scanning system integrating tens of thousands of scanning plug-ins, the integrity, vulnerability and safety of equipment are comprehensively detected and evaluated, and the safety, reliability and stability of equipment are improved.
And the safety, reliability and stability of the equipment are improved.