Date: 04 August 2021
On 4 August 2021 two security research labs published a report publicly disclosing a set of vulnerabilities known collectively as “INFRA:HALT” in the NicheStack TCP/IP stack implementation. Among the 14 zero-day vulnerabilities are two, CVE-2020-25928 and CVE-2021-31226, which are rated as critical. The following products are affected:
- InterNiche – multiple packages and versions
- NicheLite – multiple packages and versions
NicheStack TCP/IP stack is a low-level technology embedded in numerous devices utilized in operational technology and critical infrastructure, with a high concentration in manufacturing.
Exploitation of these critical vulnerabilities could result in remote code execution. Exploitation of the other disclosed vulnerabilities could result in denial of service, information leaks, TCP spoofing, or DNS cache poisoning.
The Cyber Centre encourages users and administrators to review the provided web links, perform the suggested mitigations and apply the necessary updates.
Additional vendors affected by the reported vulnerabilities may also release security advisories related to their impacted products.
HCC Embedded Security Advisories (NicheStack)
JFRrog INFRA:HALT 14 New Security Vulnerabilities Found in NicheStack
Note to Readers
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada’s national authority on cyber security and we lead the government’s response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.