Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

At Least 100 Million Devices Affected by “NAME:WRECK” DNS Flaws in TCP/IP Stacks

Popular TCP/IP stacks are affected by a series of Domain Name System (DNS) vulnerabilities that could be exploited to take control of impacted devices, researchers with IoT security firm Forescout reveal.

Popular TCP/IP stacks are affected by a series of Domain Name System (DNS) vulnerabilities that could be exploited to take control of impacted devices, researchers with IoT security firm Forescout reveal.

Collectively called NAME:WRECK and identified in the DNS implementations of FreeBSD, Nucleus NET, IPnet, and NetX, the flaws could also be abused to perform denial of service (DoS) attacks, to execute code remotely, or take devices offline.

The bugs were identified as part of Project Memoria, a research initiative aimed at improving the overall security of IoT devices and which has already resulted in the finding of more than 40 issues in popular TCP/IP stacks, critical components providing basic network connectivity for a wide range of devices.

Collectively referred to as AMNESIA:33 (33 bugs in four open source TCP/IP stacks) and NUMBER:JACK (nine flaws in as many stacks), the issues previously brought to light as part of Project Amnesia are as severe as the Ripple20 and URGENT/11 bugs that were detailed over the past two years.

NetX, FreeBSD and Siemens’ Nucleus NET are estimated to have a deployment base of roughly 10 billion devices, yet not all of them are affected. However, the researchers point out that, should only 1% of these devices be vulnerable, their number would still be above 100 million.

“The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface. This research is further indication that the community should fix DNS problems that we believe are more widespread than what we currently know,” Forescount points out.

Forescount explains that it chose to collectively call the bugs NAME:WRECK because they are proof of how domain names parsing can break DNS implementations in TCP/IP stacks. Except for four issues in Nucleus NET, the bugs are related to message compression, functionality that was found to be vulnerable in previous research too.

[ Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series ]

Advertisement. Scroll to continue reading.

The identified security holes are tracked as CVE-2020-7461 (FreeBSD), CVE-2016-20009 (IPnet – the flaw was originally identified in 2016 and a CVE ID with an end-of-life tag was issued), CVE-2020-15795, CVE-2020-27009, CVE-2020-27736, CVE-2020-27737, CVE-2020-27738, and CVE-2021-25677 (Nucleus NET). No CVE ID has been issued for the NetX bug.

Attackers, Forescout explains, could chain together three vulnerabilities to inject malicious code into a target: CVE-2020-27009 to write data to device’s memory to inject the code, CVE-2020-15795 to craft meaningful code for injection, and CVE-2021-25667 to bypass DNS query-response matching to deliver the malicious packet.

The DNS message parsing in Nucleus NET is affected by multiple flaws that could be abused to perform a remote code execution attack, namely CVE-2020-27736, CVE-2020-27738, CVE-2020-15795 and CVE-2020-27009.

An attack scenario abusing NAME:WRECK assumes that the adversary gains initial access into the enterprise environment through compromising a device that can issue DNS requests to a remote server. The attacker needs to reply to legitimate DNS requests with malicious packets, which is possible through man-in-the-middle attacks or by exploiting queried DNS servers.

Next, the attacker can abuse the compromised device to set up an internal DHCP server and perform lateral movement through the execution of code on vulnerable internal FreeBSD servers. Finally, the attacker can leverage the compromised machines to achieve persistence and exfiltrate data.

Impact from these vulnerabilities is wide: the Nucleus NET TCP/IP stack is deployed in healthcare, IT, and critical systems; FreeBSD runs on high-performance servers within IT networks and is the basis of well-known open-source projects; NetX is used in wearables such as fitness products and patient monitors, automotive solutions, the NASA Mars Reconnaissance Orbiter, and more.

Overall, roughly 10 billion devices might be affected: over 3 billion devices are powered by Nucleus RTOS, which runs the Nucleus TCP/IP stack; ThreadX RTOS, which usually runs the NetX stack, had 6.2 billion deployments in 2017; while FreeBSD runs on devices found in millions of networks.

Related: US Cyber Command Urges Users to Patch New ‘Ping of Death’ Windows Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.