Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

INFRA:HALT Security Bugs Impact Critical Industrial Control Devices

INFRA:HALT Security Bugs Impact Critical Industrial Control Devices

High-severity and critical vulnerabilities collectively referred to as INFRA:HALT are affecting all versions of NicheStack below 4.3, a proprietary TCP/IP stack used by at least 200 industrial automation vendors, many in the leading segment of the market.

The stack is commonly found on real-time operating systems (RTOS) powering operational technology (OT) and industrial control system (ICS) devices to provide internet and network functionality.

Remote code execution risk

INFRA:HALT is a set of 14 vulnerabilities jointly discovered by Forescout Research Labs and JFrog Security Research. It is part of Forescout’s Project Memoria Research (Amnesia:33NUMBER:JACKNAME:WRECK) that focuses on the security of TCP/IP stacks.

The bugs range from remote code execution, denial of service (DoS), and information leak to TCP spoofing and DNS cache poisoning.

Most are high-severity security issues, but two of them – CVE-2020-25928 and CVE-2020-31226 – are deemed critical. Forescout researchers assessed their severity score at 9.8 and 9.1, respectively.

They impact the DNS client and the HTTP server components of the stack, allowing a remote attacker to execute code on the vulnerable device to take full control over it.

To trigger CVE-2020-25928, an attacker would need to send a crafted DNS packet as a response to a DNS query from the vulnerable device, Forescout and JFrog researchers explain in a joint technical report published earlier today.

exploiting CVE-2020-25928 for remote code execution

Stanislav Dashevskyi, one of the Forescout researchers that investigated the INFRA:HALT collection of vulnerabilities, demonstrated CVE-2020-25928 in a video by attacking the programmable logical controller (PLC) managing an industrial fan.

Not long after initiating the attack, the PLC could no longer activate the fan and needed a restart to regain control over the fan.

The attack requires only four steps to crash the PLC:

  1. Device 1, vulnerable to INFRA:HALT, sends a DNS request to the DNS server as part of its normal operations
  2. The attacker sends a forged DNS response containing malicious shellcode to Device 1
  3. When Device 1 attempts to parse the DNS response, its logic is hijacked and the attacker gets remote control over it. The device is instructed to establish a TCP connection with Device 2, the internal PLC connected to the HVAC, and to send a malicious FTP packet that exploits a 0-day in this PLC
  4. The PLC crashes, forcing the fan control to stop working

Also Read: 4 Reasons Why You Need an Actively Scanning Antivirus Software

Of the 14 INFRA:HALT vulnerabilities, ten have been rated with a high-severity score, two are low severity and two are critical:

List of INFRA:HALT vulnerabilities

Plenty of vulnerable devices

NicheStack, also known as InterNiches, is maintained by HCC Embedded. The library is present in devices from around 200 vendors. An old website version from the company lists big names among its customers: Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation, Schneider Electric, and Siemens.

A search on Shodan on March 8 revealed that more than 6,400 devices running a vulnerable version of the stack. The number is likely lower today.

Looking at data collected from its appliances monitoring more than 13 million customer devices, Forescout found 2,500 systems from 21 vendors to be vulnerable to INFRA:HALT.

Almost half (46%) of these devices were deployed in industrial control systems in the Energy and Power sector. A quarter of them were in the VoIP industry and 18% were in the networking sector.

Breakdown per industry of devices vulnerable to INFRA:HALT

Also Read: 5 Types of Ransomware, Distinguished

Mitigation options

HCC Embedded has addressed all INFRA:HALT vulnerabilities with patches that are available on request. Updating to version 4.3 of NicheStack is currently the only solution for complete protection against this set of security issues.

For the many cases where patching is not possible right away, Forescout and JFrog have prepared a script that detects devices running NicheStack and a set of mitigations that could prevent compromise:

  • Confine and segment vulnerable devices from the rest of the network until they can be patched

CVE-2020-25928, CVE-2020-25767, CVE-2020-25927, CVE-2021-31228, CVE-2020-25926 [DNSv4 client]:

  • Disable the DNSv4 client if not needed, or block DNSv4 traffic. Because there are several vulnerabilities that facilitate DNS spoofing attacks, using internal DNS servers may be not sufficient (attackers may be able to hijack the request-response matching)

CVE-2021-31226, CVE-2021-31227 [HTTP server]:

  • Disable the HTTP server if not needed, or whitelist HTTP connections

CVE-2021-31400, CVE-2021-31401, CVE-2020-35684 [TCP]

  • Monitor traffic for malformed IPv4/TCP packets and block them (having a vulnerable device behind a properly configured firewall should be sufficient

CVE-2020-35685 [TCP]

  • Use the recommendations we outlined in Forescout’s NUMBER:JACK report, whenever it is feasible

CVE-2020-35683 [ICMPv4]

  • Monitor traffic for malformed ICPMv4 packets and block them



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us