Popular TCP/IP stacks are affected by a series of Domain Name System (DNS) vulnerabilities that could be exploited to take control of impacted devices, researchers with IoT security firm Forescout reveal.
Collectively called NAME:WRECK and identified in the DNS implementations of FreeBSD, Nucleus NET, IPnet, and NetX, the flaws could also be abused to perform denial of service (DoS) attacks, to execute code remotely, or take devices offline.
The bugs were identified as part of Project Memoria, a research initiative aimed at improving the overall security of IoT devices and which has already resulted in the finding of more than 40 issues in popular TCP/IP stacks, critical components providing basic network connectivity for a wide range of devices.
Collectively referred to as AMNESIA:33 (33 bugs in four open source TCP/IP stacks) and NUMBER:JACK (nine flaws in as many stacks), the issues previously brought to light as part of Project Amnesia are as severe as the Ripple20 and URGENT/11 bugs that were detailed over the past two years.
ThreadX, FreeBSD and Siemens’ Nucleus NET are estimated to have a deployment base of roughly 10 billion devices, yet not all of them are affected. However, the researchers point out that, should only 1% of these devices be vulnerable, their number would still be above 100 million.
“The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface. This research is further indication that the community should fix DNS problems that we believe are more widespread than what we currently know,” Forescount points out.
Forescount explains that it chose to collectively call the bugs NAME:WRECK because they are proof of how domain names parsing can break DNS implementations in TCP/IP stacks. Except for four issues in Nucleus NET, the bugs are related to message compression, functionality that was found to be vulnerable in previous research too.
The identified security holes are tracked as CVE-2020-7461 (FreeBSD), CVE-2016-20009 (IPnet – the flaw was originally identified in 2016 and a CVE ID with an end-of-life tag was issued), CVE-2020-15795, CVE-2020-27009, CVE-2020-27736, CVE-2020-27737, CVE-2020-27738, and CVE-2021-25677 (Nucleus NET). No CVE ID has been issued for the NetX bug.
Attackers, Forescout explains, could chain together three vulnerabilities to inject malicious code into a target: CVE-2020-27009 to write data to device’s memory to inject the code, CVE-2020-15795 to craft meaningful code for injection, and CVE-2021-25667 to bypass DNS query-response matching to deliver the malicious packet.
The DNS message parsing in Nucleus NET is affected by multiple flaws that could be abused to perform a remote code execution attack, namely CVE-2020-27736, CVE-2020-27738, CVE-2020-15795 and CVE-2020-27009.
An attack scenario abusing NAME:WRECK assumes that the adversary gains initial access into the enterprise environment through compromising a device that can issue DNS requests to a remote server. The attacker needs to reply to legitimate DNS requests with malicious packets, which is possible through man-in-the-middle attacks or by exploiting queried DNS servers.
Next, the attacker can abuse the compromised device to set up an internal DHCP server and perform lateral movement through the execution of code on vulnerable internal FreeBSD servers. Finally, the attacker can leverage the compromised machines to achieve persistence and exfiltrate data.
Impact from these vulnerabilities is wide: the Nucleus NET TCP/IP stack is deployed in healthcare, IT, and critical systems; FreeBSD runs on high-performance servers within IT networks and is the basis of well-known open-source projects; NetX is used in wearables such as fitness products and patient monitors, automotive solutions, the NASA Mars Reconnaissance Orbiter, and more.
Overall, roughly 10 billion devices might be affected: over 3 billion devices are powered by Nucleus RTOS, which runs the Nucleus TCP/IP stack; ThreadX RTOS, which usually runs the NetX stack, had 6.2 billion deployments in 2017; while FreeBSD runs on devices found in millions of networks.