Exploits are looming over 100 million IoT devices under threat from 9 newly discovered DNS vulnerabilities, discovered by Forescout Research Labs and JSOF and collectively dubbed NAME:WRECK. The NAME:WRECK exploits affect four well-known TCP/IP stacks, each present in popular IT software and IoT firmware. The exploits impact organizations in multiple sectors, from government to healthcare, manufacturing, and retail, and if successfully exploited by malicious actors in a denial of service (DoS) or remote code execution (RCE) attack, could be used to disrupt or take control of victim networks.
The exploits affect the following four stacks:
FreeBSD: Commonly used in computers, printers, and networking devices found on Device Cloud. It is used on other well-known open source projects such as firewalls and some commercial network appliances.
IPNet: Integrator solution offered by IPNet Solutions, geared for enterprise and telecom markets.
NetX: Common product categories include mobile phones, consumer electronics, and business automation, in devices such as printers, smart clocks, systems-on-a-chip, and energy & power equipment in Industrial Control Systems (ICS).
Nucleus NET: Part of Nucleus RTOS, and deployed in over 3 billion devices. Commonly used in building automation, operational technology, and VoIP, as well as ultrasound machines, storage systems, and critical systems for avionics.
The combination of widespread use of these stacks, together with external exposure of the vulnerable DNS clients, results in a dramatically increased attack surface. Even the most conservative estimates conclude that millions of devices are impacted by NAME:WRECK.
“NAME:WRECK is a significant and widespread set of exploits with the potential for large-scale disruption,” said Daniel dos Santos, research manager at Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up-to-date patches for any devices running across these affected IP stacks.
“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.”
Although FreeBSD, Nucleus NET and NetX have all been patched recently, as with many other exploits affecting deployed IoT devices, NAME:WRECK will inevitably be hard to patch in some instances because nowadays, IoT technology is often deeply embedded in organisational systems, can be hard to manage, and often essentially impossible to patch.
Due to the severity of the exploits, Forescout and JSOF are recommending a series of mitigations:
- Users should try to discover and inventory devices running the vulnerable stacks – Forescout has pushed out an open source script that uses active fingerprinting to do this, which is being updated as new developments occur.
- Users should enforce segmentation controls and increase network hygiene, restricting external communication paths and isolating vulnerable devices if they cannot be patched.
- Users should monitor for patches being dropped by affected device suppliers and devise a remediation plan for affected inventory.
- Users should configure affected devices to run on internal DNS servers, and monitor external DNS traffic (successful exploitation would need a malicious DNS server to reply with malicious packets).
- Users should monitor all their network traffic for malicious packets trying to exploit known vulnerabilities or zero-days affecting DNS, mDNS and DHCP clients.
NAME:WRECK is the second major set of TCP/IP exploits uncovered by Forescout’s team in the past year as part of a research programme called Project Memoria.
In December 2020, the firm issued a warning over 33 different exploits, referred to as Amnesia33, affecting devices made by over 150 different tech manufacturers. Such was the scale of the Amnesia33 disclosure that it prompted an emergency alert from the US Cyber Security and Infrastructure Security Agency.
NAME:WRECK Exploits Analysis
Much of this analysis has been carried out by Forescout, JSOF, and BleepingComputer.
The researchers analyzing the DNS implementations in the above-mentioned TCP/IP stacks looked at the message compression feature of the protocol. It is not uncommon for DNS response packets to include the same domain name or a part of it more than once, so a compression mechanism exists to reduce the size of DNS messages. Not just DNS resolvers benefit from this encoding as it is present in multicast DNS (mDNS), DHCP clients, and IPv6 router advertisements.
Forescout explains in the report that the feature is also present in many implementations, although some protocols do not officially support compression. This occurs “because of code reuse or a specific understanding of the specifications.”
The researchers note that implementing the compression mechanism has been a tall order, as highlighted by more than a dozen exploits discovered since the year 2000.
Below is a list of the 9 exploits across the four TCP/IP stacks:
CVE-2020-7461 – Boundary error when parsing option 119 data in DHCP packets in dhclient(8). Attacker on the network can send crafted data to DHCP client
CVE-2016-20009 – Stack-based overflow on the message decompression function.
CVE-2020-15795 – DNS domain name label parsing functionality does not properly validate the names in DNS responses. Parsing malformed responses could result in a write past the end of an allocated structure.
CVE-2020-27009 – DNS domain name record decompression functionality does not properly validate the pointer offset values. Parsing malformed responses could result in a write past the end of an allocated structure.
CVE-2020-27736 – DNS domain name label parsing functionality does not properly validate the name in DNS responses. Parsing malformed responses could result in a write past the end of an allocated structure.
CVE-2020-27737 – DNS response parsing functionality does not properly validate various length and counts of the records. Parsing malformed responses could result in a read past the end of an allocated structure
CVE-2020-27738 – DNS domain name record decompression functionality does not properly validate the pointer offset values. Parsing malformed responses could result in a read access past the end of an allocated structure
CVE-2021-25677 – DNS client does not properly randomize DNS transaction ID (TXID) and UDP port Numbers
Unnamed NetX exploit – two functions in the DNS resolver fo not check that the compression pointer does not equal the same offset currently being parsed, potentially leading to an infinite loop
Against nearly all exploits, the first step is to patch all systems. Following this, users should follow the mitigation steps outlined by Forescout.
When IoT devices are protected, it’s important that individuals, family’s, and business owners take the steps to protect their other device. These steps include using the right tools to ensure they’re protected – One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.