Popular TCP/IP stacks are affected by a series of Domain Name System (DNS) vulnerabilities that could be exploited to take control of impacted devices, researchers with IoT security firm Forescout recently reported. Collectively called NAME:WRECK and identified in the DNS implementations of FreeBSD, Nucleus NET, IPnet, and NetX, the flaws could also be abused to perform denial of service (DoS) attacks, to execute code remotely, or take devices offline.
Devices ranging from smartphones, aircraft navigation systems and industrial internet of things (IIoT) endpoints are vulnerable to either a denial-of-service (DoS) or remote code-execution (RCE) attack, according to a joint report by Forescout Research Labs and JSOF Research Labs. Patches are available for some affected vendors.
Nine vulnerabilities were identified within the implementation of the Domain Name System (DNS) protocol used by TCP/IP network communication stacks. These two technologies are used in tandem to uniquely identifying devices connected to the internet and facilitate digital communications between them. The most serious of the flaws are rated critical in severity.
The bugs were identified as part of Project Memoria, a research initiative aimed at improving the overall security of IoT devices and which has already resulted in the finding of more than 40 issues in popular TCP/IP stacks, critical components providing basic network connectivity for a wide range of devices. Referenced as AMNESIA:33 (33 bugs in four open source TCP/IP stacks) and NUMBER:JACK (nine flaws in as many stacks), the issues previously brought to light as part of Project Amnesia are as severe as the Ripple20 and URGENT/11 bugs that were detailed over the past two years.
NetX, FreeBSD and Siemens’ Nucleus NET are estimated to have a deployment base of roughly 10 billion devices, yet not all of them are affected. However, the researchers point out that, should only 1% of these devices be vulnerable, their number would still be above 100 million. “The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface. This research is further indication that the community should fix DNS problems that we believe are more widespread than what we currently know,” Forescount points out.
Forescount explains that it chose to name the bugs NAME:WRECK because they are proof of how domain names parsing can break DNS implementations in TCP/IP stacks. Except for four issues in Nucleus NET, the bugs are related to message compression, functionality that was found to be vulnerable in previous research too.
The following are the vulnerability CVE tracking numbers and the type of TCP/IP stacks impacted:
- CVE-2020-7461: A message compression bug impacting devices running FreeBSD and can lead to RCE (CVSS severity rating 7.7);
- CVE-2016-20009: A message compression bug impacting devices running IPnet and can lead to RCE (CVSS severity rating 9.8);
- CVE-2020-15795: A domain name label-parsing bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);
- CVE-2020-27009: A message-compression bug impacting devices running Nucleus NET and can lead to RCE (CVSS severity rating 8.1);
- CVE-2020-27736: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
- CVE-2020-27737: A VDomain name label-parsing bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
- CVE-2020-27738: A message-compression bug impacting devices running Nucleus NET and can lead to DoS (CVSS severity rating 6.5);
- CVE-2021-25677: A transaction-ID bug impacting devices running Nucleus NET and can lead to DNS cache-poisoning attacks (CVSS severity rating 5.3);
- And one CVE-unassigned: A message-compression bug impacting devices running NetX and can lead to DNS cache- poisoning attacks (CVSS severity rating 6.5).
Attackers, Forescout explains, could chain together three vulnerabilities to inject malicious code into a target: CVE-2020-27009 to write data to device’s memory to inject the code, CVE-2020-15795 to craft meaningful code for injection, and CVE-2021-25667 to bypass DNS query-response matching to deliver the malicious packet. The DNS message parsing in Nucleus NET is affected by multiple flaws that could be abused to perform a remote code execution attack, namely CVE-2020-27736, CVE-2020-27738, CVE-2020-15795 and CVE-2020-27009.
An attack scenario abusing NAME:WRECK assumes that the adversary gains initial access into the enterprise environment through compromising a device that can issue DNS requests to a remote server. The attacker needs to reply to legitimate DNS requests with malicious packets, which is possible through man-in-the-middle attacks or by exploiting queried DNS servers.
Next, the attacker can abuse the compromised device to set up an internal DHCP server and perform lateral movement through the execution of code on vulnerable internal FreeBSD servers. Finally, the attacker can leverage the compromised machines to achieve persistence and exfiltrate data.
Impact from these vulnerabilities is wide: the Nucleus NET TCP/IP stack is deployed in healthcare, IT, and critical systems; FreeBSD runs on high-performance servers within IT networks and is the basis of well-known open-source projects; NetX is used in wearables such as fitness products and patient monitors, automotive solutions, the NASA Mars Reconnaissance Orbiter, and more.
Overall, roughly 10 billion devices might be affected: over 3 billion devices are powered by Nucleus RTOS, which runs the Nucleus TCP/IP stack; ThreadX RTOS, which usually runs the NetX stack, had 6.2 billion deployments in 2017; while FreeBSD runs on devices found in millions of networks.
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
https://www.securityweek.com/least-100-million-devices-affected-namewreck-dns-flaws-tcpip-stacks
Comments