Bug 1190311 - VUL-0: NicheStack: INFRA:HALT attacks
VUL-0: NicheStack: INFRA:HALT attacks
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-08 15:02 UTC by Marcus Meissner
Modified: 2021-09-08 15:06 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-09-08 15:02:45 UTC
https://jfrog.com/blog/infrahalt-14-new-security-vulnerabilities-found-in-nichestack/

NicheStack Distribution

NicheStack is commonly used in OT devices around the world. For example, it is used in Siemens S7 PLCs, which has the largest PLC market share. In addition, according to our research, we found usage among ~200 device vendors, including most of the top industrial automation companies, as well as 6,400 instances of devices running NicheStack according to Shodan search results.
14 New NicheStack Security Vulnerabilities

We analyzed two versions of NicheStack: a binary sample of version 4.0.1 (publicly available via the legacy InterNiche website) and the source code of version 3 (publicly available via a website exposing the source files for an embedded project). The binary version was manually and automatically analyzed by JFrog, leveraging both static and dynamic proprietary techniques.

The table below details all 14 newly discovered vulnerabilities that we found. All NicheStack versions before the latest version 4.3, including NicheLite, are affected.

CVE-2020-25928
CVE-2020-25767
CVE-2020-25927
CVE-2021-31228
CVE-2020-25926
CVE-2021-31226
CVE-2021-31227
CVE-2021-31400
CVE-2021-31401
CVE-2020-35684
CVE-2020-35685
CVE-2020-35683
Comment 1 Marcus Meissner 2021-09-08 15:06:15 UTC
SUSE is not shipping NicheStack in its products.