NAME:WRECK DNS Vulnerabilities Impact 100 Million+ Devices

Forescout and JSOF researchers have found 9 vulnerabilities in internet-linked devices which can be taken advantage of in remote code execution and denial-of-service attacks. The vulnerabilities were seen in specific usage of the Domain Name System (DNS) protocol in TCP/IP network communication stacks.

The vulnerabilities are typically a result of how parsing of domain names happens, which could go against DNS implementations, and issues with DNS compression, that devices employ to compress information to converse online utilizing TCP/IP.

This type of vulnerabilities was given the name NAME:WRECK. They impact common IoT and operational technology systems, such as IPnet, FreeBSD, NetX and Nucleus NET. Although the usage of these IoT/OP systems doesn’t indicate that devices are unsecured, many are going to be. The researchers recommend that about 1% of IoT devices could be prone to vulnerabilities, which is over 100 million devices around the world.

Vulnerable devices are employed in a variety of industries, which include healthcare, manufacturing, retail, and the government. Healthcare companies and government institutions top the most severely impacted industries. Thankfully, the vulnerabilities aren’t simple to exploit. There must be a malicious packet sent after receiving a legit DNS request, therefore exploitation needs a man-in-the-middle attack or using an exploit for a distinct vulnerability from the target device to the DNS server. For example., DNSpooq.

Below is the list of 9 vulnerabilities together with the products and TCP/IP stacks impacted:

  • CVE-2016-20009 – IPnet Remote Code Execution – CVSS Score of 9.8
  • CVE-2020-27009 – Nucleus NET Remote Code Execution – CVSS Score of 8.1
  • CVE-2020-15795 – Nucleus NET Remote Code Execution – CVSS Score of 8.1
  • CVE-2020-27736 – Nucleus NET Denial of Service – CVSS Score of 6.5
  • CVE-2020-27738 – Nucleus NET Denial of Service – CVSS Score of 6.5
  • CVE-2020-27737 – Nucleus NET Denial of Service- CVSS Score of 6.5
  • CVE-2020-25677 – Nucleus NET DNS Cache Poisoning – CVSS Score of 5.3
  • CVE-2020-7461 – FreeBSD Remote Code Execution – CVSS Score of 7.7
  • Awaiting CVE – NetX Denial of Service – CVSS Score of 6.5

The vulnerabilities vary in intensity, with the most serious vulnerabilities having a critical score. The vulnerabilities may likewise be chained. For instance, with CVE-2020-27009, an attacker could create a DNS response packet and compose arbitrary data in sensitive portions of the memory. CVE-2020-15795 permits an attacker to create meaningful code to be inserted, and CVE-2021-25667 permits a bypass of DNS query-response corresponding to send the malicious packet to the target.

FreeBSD is additionally employed in network appliances and pfSense firewalls like McAfee SecurOS and Check Point IPSO. NetX is employed in wearable patient monitors like those produced by Welch Allyn. Nucleus NET is employed broadly in healthcare devices, which include ZONARE ultrasound machines and ZOLD defibrillators. The vulnerability in FreeBSD is of special concern since the network stack is employed in lots of embedded devices and countless higher efficiency IT servers, such as those employed by big websites like Netflix and Yahoo.

The vulnerabilities can be employed for extortion in denial-of-service attacks on mission-critical systems, to steal sensitive information, or permit changes to devices to modify functions and could result in substantial damage. Because vulnerable devices are utilized in heating, lighting, ventilation,
and security systems, important building functions can likewise be interfered with.

Although patches have already been launched to fix the vulnerabilities, implementing those patches might be troublesome. A lot of the vulnerable internet-enabled devices are utilized to regulate mission-critical applications that are constantly running and could not be quickly turned off.

How to Mitigate NAME:WRECK Vulnerabilities

The first step is to determine all vulnerable devices. Forescout is creating an open-source script, which may be utilized to fingerprint all vulnerable gadgets. Devices won’t be protected unless the patches are used, therefore after determining all vulnerable devices, it is a must to apply mitigations until the patches are used. Those measures must consist of device and network segmentation, limiting external communication with vulnerable gadgets, and setting up the devices to work on internal DNS servers. Network traffic ought to also be checked for malicious packets trying to take advantage of the vulnerabilities and other vulnerabilities in DCHP, DNS, and mDNS clients.

Patches were introduced for Nucleus NET, FreeBSD, and NetX and device makers, such as Siemens, have already begun issuing patches to fix the vulnerabilities in their products.