Researchers are warning of nine vulnerabilities that affect popular TCP/IP stacks utilized by connected devices. If exploited, the set of flaws could allow attackers to launch denial-of-service and remote-code-execution attacks on an array of devices.
The nine flaws, collectively dubbed Name:Wreck by Forescout researchers in a Tuesday report, showcase the weaknesses of Domain Name System (DNS) protocol implementations in TCP/IP network communication stacks. Many devices rely on the four TCP/IP stacks that are affected by these flaws, ranging from connected printers used in offices to defibrillators used in hospitals. Researchers “conservatively assume” that an estimated 100 million devices could be impacted by the set of flaws.
In real-world attacks, “a simple scenario... would have an attacker infiltrating a manufacturing network via an RCE on an exposed IoT device then causing a production line to stop by causing a DoS on an industrial controller,” Daniel dos Santos, research manager at Forescout Research Labs, said. “Similarly, the attacker could switch off the lights of a target company by leveraging a vulnerable building automation controller.”
Many of the Name:Wreck vulnerabilities stem from DNS implementations of a protocol feature called message compression. Message compression reduces the size of DNS messages, due to DNS response packets often including the same domain name. This compression mechanism has been problematic to implement on products for 20 years, said researchers, causing issues on DNS servers, enterprise devices and, more recently, TCP/IP stacks. Forescout researchers disclosed three flaws relating to message compression during previous research into TCP/IP vulnerabilities (particularly the Ripple20 and AMNESIA:33 sets of flaws). Consequently, they hunted for other similar types of flaws in other protocol stacks.
As part of the ensuing Name:Wreck research, researchers found DNS message compression vulnerabilities in four popular TCP/IP stacks, including FreeBSD (version 12.1), IPnet (version VxWorks 6.6), NetX (version 6.0.1) and Nucleus Net (version 4.3). The most critical flaws exist in FreeBSD, popular IT software used by high-performance servers in millions of IT networks, including major websites such as Netflix and Yahoo; and in Siemens’ Nucleus NET firmware, which has been used for decades by critical OT and Internet-of-Things (IoT) devices.
The more serious flaws include two high-severity issues (CVE-2020-15795 and CVE-2020-27009) in Nucleus Net that can enable remote code execution. CVE-2020-15795 exists because the DNS domain name label parsing functionality does not properly validate the names in DNS responses, while CVE-2020-27009 exists due to the DNS domain name record decompression functionality not properly validating the offset pointer values. For both of these flaws, attackers could execute code or launch a DoS attack - however, they would need existing privileges in the network. Meanwhile, another high-severity flaw exists in FreeBSD, which can enable remote attackers to send specially crafted data to the DHCP client (the network server that automatically provides and assigns IP addresses), triggering a heap-based buffer overflow and allowing them to execute arbitrary code on the target system. The attackers would need to be on the local network in order to launch the attack.
"General recommended mitigations for Name:Wreck include limiting the network exposure of critical vulnerable devices via network segmentation, relying on internal DNS servers and patching devices whenever vendors release advisories."
Of note, some of the flaws discovered are not related to message compression, but could be chained together with the disclosed message compression vulnerabilities to target devices, said researchers. Forescout’s dos Santos also stressed, the flaws can be exploited remotely and unauthenticated, but there are different levels of difficulty to exploit them. For instance, exploiting the flaws for remote code execution is more difficult, because it requires knowledge about the internals of a device and requires fine tuning for each target device, he said.
For instance, attackers can exploit CVE-2020-27009 by crafting a DNS response packet with a combination of invalid compression pointer offsets. This could allow them to write arbitrary data into sensitive parts of a device’s memory, where they can then inject code. They can then exploit CVE-2020-15795 by abusing very large domain name records in the malicious packet, in order to craft meaningful code to be injected. Finally, to deliver the subsequent malicious packet to the target, the attackers can bypass DNS query-response matching using CVE-2021-25667, one of the other Name:Wreck flaws uncovered in Nucleus NET.
While patches have been issued for the flaws, device vendors relying on this software need to provide their own updates to customers. In the complex IoT environment, patching devices running the vulnerable versions of the IP stacks can be challenging, however. Many of these devices are not centrally managed, for instance, and some vulnerable devices running vulnerable Nucleus NET-based firmware are mission-critical (such as medical devices or industrial control systems), meaning that they are more difficult to take offline while applying patches.
Security issues in the TCP/IP architecture, which allows IoT devices to communicate with the network and with one another, continue to pose issues. The stacks are “notoriously vulnerable” as they rely on codebases that were created decades ago and rely on protocols that can include unauthenticated functionality, said researchers, presenting an attractive attack surface for cybercriminals. Previously, researchers discovered a set of 19 flaws in the Treck TCP/IP stack (called Ripple20), as well as a set of 33 vulnerabilities affecting four open-source TCP/IP stacks (called Amnesia:33).
In terms of best practices, Paul Vixie, chairman, CEO, and co-founder of Farsight Security, emphasized that devices should be configured to rely on internal DNS servers: “Run your own recursive DNS, don’t outsource this,” he said. “I would recommend companies use internal name servers.”
And, external DNS traffic should be closely monitored, since exploitation requires a malicious DNS server to reply with malicious packets, said researchers.
“General recommended mitigations for Name:Wreck include limiting the network exposure of critical vulnerable devices via network segmentation, relying on internal DNS servers and patching devices whenever vendors release advisories,” said researchers.