A set of vulnerabilities has been found in the way a number of popular TCP/IP stacks handle DNS requests. Potentially this could impact hundreds of millions of servers, smart devices, and industrial equipment. The researchers that discovered the vulnerabilities have named them NAME:WRECK.
Plural vulnerabilities?
Yes, the researchers found 9 DNS-related vulnerabilities that have the potential to allow attackers to take targeted devices offline or to gain control over them. These vulnerabilities affect 4 popular TCP/IP stacks: FreeBSD, IPnet, Nucleus NET, and NetX. Together they are used by over 100 Million devices. Since the vulnerable DNS clients are usually exposed to the internet this creates a huge attack surface.
Some background
Domain Name System (DNS) is an internet protocol that translates user-friendly, readable URLs, like malwarebytes.com
, to their numeric IP addresses, like
52.85.104.30
, allowing the computer to identify a server without the user having to remember and input its actual IP address. Basically, you could say DNS is the phonebook of the internet. DNS name resolution is a complex process that can be interfered with at many levels. Although never visible to end-users, TCP/IP stacks are libraries that vendors add to their firmware to support internet connectivity and other networking functions like DNS queries for their devices. These libraries are very small but, in most cases, underpin the most basic functions of a device, and any vulnerability here exposes users to remote attacks.
Devices and organizations affected by NAME:WRECK
FreeBSD is widely used in firewalls and several commercial network appliances. It is also the basis for other well-known open-source projects. The most common device types running FreeBSD include computers, printers and networking equipment.
IPNet tends to be used by internet-facing enterprise devices located at the perimeter of an organization’s network, such as modems, routers, firewalls, and printers, as well as some industrial and medical devices.
The Nucleus RTOS website mentions that more than 3 billion devices use this real-time operating system, such as ultrasound machines, storage systems, critical systems for avionics and others, although presumably many of them are not internet connected.
NetX is usually run by the ThreadX Real Time Operating System (RTOS). Typical applications include medical devices, systems-on-a-chip and several printer models. The most common device types running ThreadX include printers, smart clocks and energy and power equipment in Industrial Control Systems (ICS).
Did you notice how it may turn out that the vertical that has most to fear from these vulnerabilities is a sector that is already under heavy stress, and has been actively targeted by cyberattacks? The healthcare sector is indeed in the top 3 of most affected by these vulnerabilities, together with the government.
Exploitation
For an attacker to use these vulnerabilities they have to find a way to send a malicious packet in reply to a legitimate DNS request. So the attacker will have to run a person-in-the-middle attack or be able to use an existing vulnerability like DNSpooq between the target device and the DNS server to pull this off.
Mitigation
Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of these IP stacks. FreeBSD, Nucleus NET and NetX have been patched recently, and device vendors using this software should provide their own updates to customers.
It is not always easy though for users to find out whether they have the most up to date patches for any devices running across these affected IP Stacks. And patching devices is not always easy, or even possible.
There are a few things you can do however:
- Make an inventory of the devices running the vulnerable stacks. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running the affected stacks.
- Keep unpatched devices contained or disconnected from the internet, until they can be patched or replaced.
- Configure devices to rely on internal DNS servers where possible.
- Monitor network traffic for malicious packets that try to exploit the vulnerabilities.
- Apply patches as soon as possible after they have been made available.
For those interested in the full technical details the full report is available here and will be presented at Black Hat Asia 2021.
Stay safe, everyone!