HCC Embedded InterNiche TCP/IP stack, NicheLite (Update B)

Act Now9.8ICS-CERT ICSA-21-217-01Aug 5, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

HCC Embedded InterNiche TCP/IP stack and NicheLite contain multiple critical vulnerabilities in all versions before 4.3, including buffer overflows, DNS cache poisoning, weak random number generation, and improper input validation. These flaws could lead to unauthorized access, arbitrary information disclosure, remote code execution, or denial of service. All versions below 4.3 are affected; no patch has been released by HCC for these products.

What this means

What could happen

An attacker could remotely execute code on devices running the InterNiche stack or NicheLite, potentially gaining full control of the device and any attached industrial processes. This could enable unauthorized commands to PLCs, remote I/O units, or other control systems, resulting in altered process parameters, equipment shutdown, or safety system bypass.

Who's at risk

Devices and systems using HCC's InterNiche TCP/IP stack or NicheLite embedded network stack are affected. This includes Siemens industrial devices and Mitsubishi Electric MELSEC Series Remote I/O units that embed this stack. Any control system, PLC, remote I/O module, or networked industrial device using these network stacks before version 4.3 is at risk.

How it could be exploited

An attacker with network access to a device using InterNiche or NicheLite can send specially crafted network packets (UDP/DNS queries, TCP requests, or malformed data) to trigger buffer overflows or other memory corruption flaws. Once exploited, the attacker gains arbitrary code execution capabilities on the device without needing valid credentials or special configuration.

Prerequisites

Network access to the device on its management or data port (typically UDP 53 for DNS, TCP ports 23/80/502 depending on application)
No authentication or credentials required to trigger the vulnerability
Device must be running InterNiche stack or NicheLite version earlier than 4.3

Remotely exploitable without authenticationNetwork-accessible (no credentials needed)Low complexity attackCritical severity (CVSS 9.8)Multiple code execution pathways (buffer overflow, DNS poisoning, weak randomness)No patch available from HCCAffects industrial equipment from major vendors (Siemens, Mitsubishi)

Exploitability

Moderate exploit probability (EPSS 6.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

InterNiche stack: All< 4.34.3 or later

NicheLite: All< 4.34.3 or later

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to affected devices to only required management and operational ports using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade InterNiche stack to version 4.3 or later

HOTFIXUpgrade NicheLite to version 4.3 or later

Long-term hardening

0/2

HARDENINGIsolate control system networks and devices behind firewalls; ensure they are not directly accessible from the Internet or business network

HARDENINGIf remote access is necessary, use VPN with current security patches rather than exposing devices directly to untrusted networks

CVEs (14)

CVE-2020-25767 CVE-2020-25928 CVE-2020-25927 CVE-2020-25926 CVE-2020-35683 CVE-2020-35684 CVE-2020-35685 CVE-2021-31400 CVE-2021-31401 CVE-2021-31226 CVE-2021-31227 CVE-2021-31228 CVE-2021-27565 CVE-2021-36762

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/85f45d0e-c104-410a-9ee9-34d847b7f7ee