A New Set of ‘INFRA:HALT’ Vulnerabilities Is Coming for Your OT Devices

Last updated August 6, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Researchers at JFrog and Forescout, the team that discovered ‘Name:Wreck’, have now jointly uncovered a new set of flaws that affect roughly 6,400 currently-online OT and industrial devices from 200 vendors. The set contains 14 critical vulnerabilities with varying implications, all affecting the closed-source TCP/IP stack ‘NicheStack’. Unfortunately, this technical solution (which has been around for about 20 years) appears to be commonly deployed in industrial automation systems, so the impact is pretty wide.

Without further ado, the flaws are given below ranked by their criticality:

  1. CVE-2020-25928: RCE on DNSv4, CVSSv3.1 score – 9.8
  2. CVE-2021-31226: RCE on HTTP, CVSSv3.1 score – 9.1
  3. CVE-2020-25927: DoS on DNSv4, CVSSv3.1 score – 8.2
  4. CVE-2020-25767: DoS infoleak on DNSv4, CVSSv3.1 score – 7.5
  5. CVE-2021-31227: DoS on HTTP, CVSSv3.1 score – 7.5
  6. CVE-2021-31400: DoS on TCP, CVSSv3.1 score – 7.5
  7. CVE-2021-31401: App-dependent, TCP, CVSSv3.1 score – 7.5
  8. CVE-2020-35683: DoS on ICMP, CVSSv3.1 score – 7.5
  9. CVE-2020-35684: DoS on TCP, CVSSv3.1 score – 7.5
  10. CVE-2020-35685: TCP spoofing on TCP, CVSSv3.1 score – 7.5
  11. CVE-2021-27565: DoS on HTTP, CVSSv3.1 score – 7.5
  12. CVE-2021-36762: DoS on TFTP, CVSSv3.1 score – 7.5
  13. CVE-2020-25926: DNS cache poisoning on DNSv, CVSSv3.1 score – 4
  14. CVE-2021-31228: DNS cache poisoning on DNSv4, CVSSv3.1 score – 4

A search on Shodan has returned about 6,400 results, mostly from Canada and the United States, while Spain, Sweden, and Italy also appear to deploy a respectable number of vulnerable devices. As for the seconds where these are used, half of them are found in the otherwise crucial energy and power industry, one-fourth is in VoIP, and one-fifth in networking.

Source: Forescout

Addressing the set of the ‘INFRA:HALT’ flaws would be a matter of applying fixing patches on these devices, but patching OT products isn’t a simple process. Additionally, not every one of the 200 affected vendors has released fixing updates for their products. This leaves many users with the only option being mitigation.

Forescout is proposing the following steps to be taken for a complete mitigation strategy:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: