search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NicheStack embedded TCP/IP has vulnerabilities

Vulnerability Note VU#608209

Original Release Date: 2021-08-10 | Last Revised: 2021-08-10

Overview

HCC Embedded's software called InterNiche stack (NicheStack) and NicheLite, which provides TCP/IP networking capability to embedded systems, is impacted by multiple vulnerabilities. The Forescout and JFrog researchers who discovered this set of vulnerabilities have identified these as "INFRA:HALT"

Description

HCC Embedded acquired NicheStack from Interniche in order to provide TCP/IP protocol capabilities to lightweight devices such as IoT. NicheStack has been made available since late 1990's to a widely varied customer base in multiple forms to support various implementations. This has made NicheStack to be part of a complex supply chain into major industries including devices in critical infrastructure.

Forescout and JFrog researchers have identified 14 vulnerabilities related to network packet processing errors in NicheStack and NicheLite versions 4.3 released before 2021-05-28. Most of these vulnerabilities stem from improper memory management commonly seen in lightweight operating systems. Of these 14 vulnerabilities, five involve processing of TCP and ICMP (OSI Layer-4 protocols) and the rest involve common application protocols such as HTTP and DNS (OSI Layer-7). The processing of these OSI layers involve a number of boundary checks and some specific "application" processing capabilities (such as randomization) commonly overlooked in development of lightweight networking software.

Various stakeholders, including HCC Embedded, have made attempts to reach impacted vendors to provide software fixes that address these issues. A lack of formalization of software OEM relationships and a lack of Software Bill of Materials (SBOM) has complicated this outreach and the much-needed identification of impacted devices.

Impact

The impact of exploiting these vulnerabilities will vary widely, depending on the implementation options used while developing embedded systems that use NicheStack or NicheLite. As these vulnerabilities involve processing of network packets, attackers can generally abuse these errors via remote network access. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or in some cases be able to execute arbitrary code on the target device.

Solution

Apply updates

The most reliable way to address these vulnerabilities is to update to the latest stable version of NicheStack software mentioned in HCC Embedded mentioned in their Security Advisories. If you are unsure or have discovered NicheStack using open-source tools provided by Forescout, reach out to HCC Embedded via their PSIRT security team or to your upstream vendor in your supply chain to obtain the software fixes. HCC has also provided a register to be notified web page for sustaining this outreach for their long-standing customers.

Block anomalous IP traffic

CERT/CC recognizes that many implementations of NicheStack involve longer lifecycles for patching. In the meantime, if feasible, organizations can consider isolating impacted devices and blocking network attacks using network inspection, as detailed below, when network isolation is not feasible. It is recommended that security features available to you in devices such as router, firewalls for blocking anomalous network packets are enabled and properly configured. Below is a list of possible mitigations that address some specific network attacks that attempt to exploit these vulnerabilities.

  • Provide DNS recursion services to the embedded devices using recursive DNS servers that are securely configured, and well-maintained with patches and updates.
  • Provide HTTP access to embedded devices that are in an isolated network via securely configured HTTP reverse proxy or using HTTP deep packet inspection firewalls.
  • Filter ICMP and TFTP access to embedded devices from the wider Internet and use stateful inspection of these protocols when accessible to wider Internet to avoid abuse.
  • Enforce TCP stateful inspection for embedded device and reject malformed TCP packets using router, firewall features as available to the operational environment.

When blocking or isolating is not an option, perform passive inspection using IDS that can alert on anomalous attempts to exploit these vulnerabilities. See also our recommendations and IDS rules that were made available for Treck TCP/IP stack related vulnerabilities VU#257161 for examples.

Acknowledgements

Thanks to Amine Amri, Stanislav Dashevskyi, and Daniel dos Santos from Forescout, and Asaf Karas and Shachar Menashe from JFrog who reported these vulnerabilities and supported coordinated disclosure. HCC Embedded, the primary OEM vendor, also supported our efforts to coordinate and develop security fixes to address these issues.

This document was written by Vijay Sarvepalli.

Vendor Information

608209
 

HCC Affected

Notified:  2020-11-12 Updated: 2021-08-10

Statement Date:   July 20, 2021

CVE-2020-25767 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19
CVE-2020-25926 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-03-02
CVE-2020-25927 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19
CVE-2020-25928 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19
CVE-2020-35683 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_ipv4 module version 1.5. A fix for this will be available from HCC on 2021-03-02
CVE-2020-35684 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16
CVE-2020-35685 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16
CVE-2021-27565 Affected
Vendor Statement:
The infinite loop entered in case this occurs is really for the user to implement when integrating the software. But whatever their implementation this code should not be structured like this. This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7.
CVE-2021-31226 Affected
Vendor Statement:
This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7.
CVE-2021-31227 Affected
Vendor Statement:
This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7.
CVE-2021-31228 Affected
Vendor Statement:
This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7.
CVE-2021-31400 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-02-26
CVE-2021-31401 Affected
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16
CVE-2021-36762 Unknown
Vendor Statement:
This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is fixed in in_tftp module version 1.2

Phoenix Contact Affected

Notified:  2020-11-17 Updated: 2021-08-10

Statement Date:   August 10, 2021

CVE-2020-25767 Not Affected
CVE-2020-25926 Not Affected
CVE-2020-25927 Not Affected
CVE-2020-25928 Not Affected
CVE-2020-35683 Unknown
CVE-2020-35684 Affected
CVE-2020-35685 Affected
CVE-2021-27565 Not Affected
CVE-2021-31226 Not Affected
CVE-2021-31227 Affected
CVE-2021-31228 Not Affected
CVE-2021-31400 Affected
CVE-2021-31401 Affected
CVE-2021-36762 Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

Rockwell Automation Affected

Notified:  2020-11-12 Updated: 2021-08-10

Statement Date:   July 23, 2021

CVE-2020-25767 Affected
CVE-2020-25926 Affected
CVE-2020-25927 Affected
CVE-2020-25928 Affected
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Affected
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Siemens Affected

Notified:  2020-11-12 Updated: 2021-08-10

Statement Date:   August 04, 2021

CVE-2020-25767 Not Affected
CVE-2020-25926 Not Affected
CVE-2020-25927 Not Affected
CVE-2020-25928 Not Affected
CVE-2020-35683 Affected
CVE-2020-35684 Affected
CVE-2020-35685 Affected
CVE-2021-27565 Not Affected
CVE-2021-31226 Not Affected
CVE-2021-31227 Not Affected
CVE-2021-31228 Not Affected
CVE-2021-31400 Not Affected
CVE-2021-31401 Affected
CVE-2021-36762 Not Affected

Vendor Statement

Siemens is aware of the security vulnerabilities in the InterNiche TCP/IP stack, also named “INFRA:HALT” and disclosed on 2021-08-04. The impact to Siemens products is described in the Security Advisory SSA-789208, published on 2021-08-04 on the Siemens ProductCERT page (https://www.siemens.com/cert/advisories).

References

AVM GmbH Not Affected

Notified:  2021-02-04 Updated: 2021-08-10

Statement Date:   June 08, 2021

CVE-2020-25767 Not Affected
CVE-2020-25926 Not Affected
CVE-2020-25927 Not Affected
CVE-2020-25928 Not Affected
CVE-2020-35683 Unknown
CVE-2020-35684 Not Affected
CVE-2020-35685 Not Affected
CVE-2021-27565 Unknown
CVE-2021-31226 Not Affected
CVE-2021-31227 Not Affected
CVE-2021-31228 Not Affected
CVE-2021-31400 Not Affected
CVE-2021-31401 Not Affected
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Fujitsu Not Affected

Notified:  2021-06-01 Updated: 2021-08-10

Statement Date:   August 04, 2021

CVE-2020-25767 Not Affected
CVE-2020-25926 Not Affected
CVE-2020-25927 Not Affected
CVE-2020-25928 Not Affected
CVE-2020-35683 Not Affected
CVE-2020-35684 Not Affected
CVE-2020-35685 Not Affected
CVE-2021-27565 Not Affected
CVE-2021-31226 Not Affected
CVE-2021-31227 Not Affected
CVE-2021-31228 Not Affected
CVE-2021-31400 Not Affected
CVE-2021-31401 Not Affected
CVE-2021-36762 Not Affected

Vendor Statement

Fujitsu is aware of the security vulnerabilities in HCC Embedded / InterNiche NicheStack, also known as "INFRA:HALT".

Fujitsu commenced an analysis, together with Fujitsu company PFU (EMEA) LIMITED. Despite initial findings by FORESCOUT, the NicheStack TCP/IP stack is not employed in PFU (EMEA) LIMITED or Fujitsu products.

Therefore, there are no currently known affected Fujitsu products. Researchers from FORESCOUT were asked to remove a false-positive detection of certain Fujitsu company PFU (EMEA) LIMITED products. However, products by 3rd parties, based on PFU (EMEA) LIMITED products, may contain modifications and employ the HCC Embedded / InterNiche NicheStack.

The Fujitsu PSIRT provides a status for Fujitsu PSS-IS-2021-051916 on https://security.ts.fujitsu.com (Security Notices) accordingly. Due to the non-affection, the issue is therefore considered resolved.

In case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Fujitsu-PSIRT@ts.fujitsu.com).

Intel Not Affected

Notified:  2020-11-12 Updated: 2021-08-10

Statement Date:   July 21, 2021

CVE-2020-25767 Not Affected
CVE-2020-25926 Not Affected
CVE-2020-25927 Not Affected
CVE-2020-25928 Not Affected
CVE-2020-35683 Not Affected
CVE-2020-35684 Not Affected
CVE-2020-35685 Not Affected
CVE-2021-27565 Not Affected
CVE-2021-31226 Not Affected
CVE-2021-31227 Not Affected
CVE-2021-31228 Not Affected
CVE-2021-31400 Not Affected
CVE-2021-31401 Not Affected
CVE-2021-36762 Not Affected

Vendor Statement

We do not use nor ship with any of the NicheStack DNS capabilities.

ABB Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ericsson Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Green Hills Software Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Honeywell Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Mitsubishi Electric Corporation Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Motorola Inc. Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

NEC Corporation Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Philips Electronics Unknown

Notified:  2020-11-17 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Polycom Inc. Unknown

Notified:  2020-11-12 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

Schneider Electric Unknown

Notified:  2020-12-08 Updated: 2021-08-10

CVE-2020-25767 Unknown
CVE-2020-25926 Unknown
CVE-2020-25927 Unknown
CVE-2020-25928 Unknown
CVE-2020-35683 Unknown
CVE-2020-35684 Unknown
CVE-2020-35685 Unknown
CVE-2021-27565 Unknown
CVE-2021-31226 Unknown
CVE-2021-31227 Unknown
CVE-2021-31228 Unknown
CVE-2021-31400 Unknown
CVE-2021-31401 Unknown
CVE-2021-36762 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 20 vendors View less vendors


Other Information

Sponsored by CISA.