Manufacturing at risk after critical flaws found in industrial control devices
Posted by: GuidePoint Security
Published 08/11/2021, 9:00am
Last week cybersecurity researchers announced the discovery of 14 vulnerabilities found in the transmission control protocol/internet protocol (TCP/IP) stack used in millions of industrial control devices.
The devices are manufactured by at least 200 different vendors and deployed in power plants, factories, water treatment facilities, manufacturing plants, and critical infrastructure sectors.
The bugs, dubbed INFRA:HALT, target the InterNiche and NicheLite TCP/IP stack and could enable a threat actor to achieve remote code execution, information leaks, TCP spoofing, DNS cache poisoning, and denial of service attacks.
Two of the bugs (CVE-2020-25928 and CVE-2021-31226) are rated as critical severity. Ten are rated as high severity, and the remaining two are rated as medium severity. The bugs are listed as:
- CVE-2020-25928 (critical)
- CVE-2021-31226 (critical)
- CVE-2020-25927 (high
- CVE-2020-25767 (high)
- CVE-2021-31227 (high)
- CVE-2021-31400 (high)
- CVE-2021-31401 (high)
- CVE-2020-35683 (high)
- CVE-2020-35684 (high)
- CVE-2020-35685 (high)
- CVE-2021-27565 (high)
- CVE-2021-36762 (high)
- CVE-2020-25926 (medium)
- CVE-2021-31228 (medium)
Next Steps
On August 5, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on these vulnerabilities. The owner of the TCP/IP stack was informed of the vulnerabilities in September 2020 and patched them in May 2021 with its version 4.3 release. Users of this TCP/IP stack are urged to upgrade their systems.
CISA reminds organizations to perform appropriate impact analysis and risk assessment prior to taking any defensive measures. They also recommend the following key steps to mitigate issues with this TCP/IP stack:
- Minimize network exposure for all control system devices and systems, and ensure that they are not accessible from the Internet
- Locate control system networks and remote devices behind firewalls and isolate them from the business network
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize VPN is only as secure as its connected devices
GuidePoint Security