{"vuid":"VU#608209","idnumber":"608209","name":"NicheStack embedded TCP/IP has vulnerabilities","keywords":null,"overview":"### Overview\r\nHCC Embedded's software called InterNiche stack (NicheStack) and NicheLite, which provides TCP/IP networking capability to embedded systems, is impacted by multiple vulnerabilities. The Forescout and JFrog researchers who discovered this set of vulnerabilities have identified these as \"INFRA:HALT\" \r\n\r\n### Description\r\nHCC Embedded acquired NicheStack from Interniche in order to provide TCP/IP protocol capabilities to lightweight devices such as IoT.  NicheStack has been made available since late 1990's to a widely varied customer base in multiple forms to support various implementations.  This has made NicheStack to be part of a complex supply chain into major industries including devices in [ critical infrastructure](https://us-cert.cisa.gov/ics/advisories/icsa-21-217-01).  \r\n\r\nForescout and JFrog researchers have identified [14 vulnerabilities](https://www.forescout.com/blog/new-critical-operational-technology-vulnerabilities-found-on-nichestack/) related to network packet processing errors in NicheStack and NicheLite versions 4.3 released before 2021-05-28.  Most of these vulnerabilities stem from improper [memory management ](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152142) commonly seen in lightweight operating systems.  Of these 14 vulnerabilities, five involve processing of TCP and ICMP ([OSI](https://en.wikipedia.org/wiki/OSI_model) Layer-4 protocols) and the rest involve common application protocols such as HTTP and DNS (OSI Layer-7).  The processing of these OSI layers involve a number of boundary checks and some specific \"application\" processing capabilities (such as randomization) commonly overlooked in development of lightweight networking software.  \r\n\r\nVarious stakeholders, including HCC Embedded, have made attempts to reach  impacted vendors to provide software fixes that address these issues. A lack of formalization of software OEM relationships and a lack of Software Bill of Materials (SBOM) has complicated this outreach and the much-needed identification of impacted devices. \r\n\r\n### Impact\r\nThe impact of exploiting these vulnerabilities will vary widely, depending on the implementation options used while developing embedded systems that use NicheStack or NicheLite. As these vulnerabilities involve processing of network packets, attackers can generally abuse these errors via remote network access. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or in some cases be able to execute arbitrary code on the target device. \r\n\r\n\r\n### Solution\r\n#### Apply updates\r\nThe most reliable way to address these vulnerabilities is to update to the latest stable version of NicheStack software mentioned in HCC Embedded mentioned in their [Security Advisories](https://www.hcc-embedded.com/support/security-advisories). If you are unsure or have discovered NicheStack using [open-source tools](https://github.com/Forescout/project-memoria-detector) provided by Forescout, reach out to HCC Embedded via their [PSIRT](https://www.hcc-embedded.com/support/security-advisories/product-security-policy) security team or to your upstream vendor in your supply chain to obtain the software fixes.  HCC has also provided a [register to be notified](https://www.hcc-embedded.com/support/security-advisories/security-advisories-notification)  web page for sustaining this outreach for their long-standing customers.\r\n\r\n#### Block anomalous IP traffic\r\nCERT/CC recognizes that many implementations of NicheStack involve longer lifecycles for patching.  In the meantime, if feasible, organizations can consider isolating impacted devices and blocking network attacks using network inspection, as detailed below, when network isolation is not feasible.  It is recommended that security features available to you in devices such as router, firewalls for blocking anomalous network packets are enabled and properly configured. Below is a list of possible mitigations that address some specific network attacks that attempt to exploit these vulnerabilities.\r\n\r\n* Provide DNS recursion services to the embedded devices using recursive DNS servers that are securely configured, and well-maintained with patches and updates.\r\n* Provide HTTP access to embedded devices that are in an isolated network via securely configured HTTP reverse proxy or using HTTP deep packet inspection firewalls.\r\n* Filter ICMP and TFTP access to embedded devices from the wider Internet and use stateful inspection of these protocols when accessible to wider Internet to avoid abuse.\r\n* Enforce TCP stateful inspection for embedded device and reject malformed TCP packets using router, firewall features as available to the operational environment.\r\n\r\nWhen blocking or isolating is not an option, perform passive inspection using IDS that can alert on anomalous attempts to exploit these vulnerabilities. See also our recommendations and IDS rules that were made available for Treck TCP/IP stack related vulnerabilities [VU#257161](https://kb.cert.org/vuls/id/257161) for [examples](https://github.com/CERTCC/PoC-Exploits/tree/master/vu-257161).\r\n\r\n### Acknowledgements\r\nThanks to Amine Amri, Stanislav Dashevskyi, and Daniel dos Santos from Forescout, and Asaf Karas and Shachar Menashe from JFrog who reported these vulnerabilities and supported coordinated disclosure.  HCC Embedded, the primary OEM vendor, also supported our efforts to coordinate and develop security fixes to address these issues.\r\n\r\nThis document was written by Vijay Sarvepalli.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.hcc-embedded.com/support/security-advisories","https://www.forescout.com/blog/new-critical-operational-technology-vulnerabilities-found-on-nichestack/","https://jfrog.com/blog/infrahalt-14-new-security-vulnerabilities-found-in-nichestack/","https://us-cert.cisa.gov/ics/advisories/icsa-21-217-01","https://cert.vde.com/de-de/advisories/vde-2021-032"],"cveids":["CVE-2021-36762","CVE-2021-27565","CVE-2020-25927","CVE-2021-31227","CVE-2021-31228","CVE-2021-31226","CVE-2020-25928","CVE-2020-25926","CVE-2020-25767","CVE-2021-31400","CVE-2021-31401","CVE-2020-35685","CVE-2020-35684","CVE-2020-35683"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2021-08-10T16:50:54.906041Z","publicdate":"2021-08-10T00:00:00Z","datefirstpublished":"2021-08-10T16:50:54.932768Z","dateupdated":"2022-09-23T20:27:41.149863Z","revision":2,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":53}