NAME:WRECK DNS vulnerabilities affect over 100 million devices

[mood]

NAME:WRECK DNS vulnerabilities affect over 100 million devices

 

 

Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.

Collectively referred to as NAME: WRECK, the flaws could be leveraged to take offline affected devices or to gain control over them.

 

The vulnerabilities were found in widespread TCP/IP stacks that run on a wide range of products, from high-performance servers and networking equipment to operational technology (OT) systems that monitor and control industrial equipment.

Issues in four TCP/IP stacks

The discovery of NAME:WRECK is a joint effort from Enterprise of Things security company Forescout and  Israel-based security research group JSOF and affects the DNS implementations in the following TCP/IP stacks:

• FreeBSD (vulnerable version: 12.1) - one of the most popular operating system in the BSD family
• IPnet (vulnerable version: VxWorks 6.6) - initially developed by Interpeak, it is now under WindRiver maintenance and used by VxWorks real-time operating system (RTOS)
• NetX (vulnerable version: 6.0.1) - part of the ThreadX RTOS, it is now an open-source project maintained by Microsoft under the name Azure RTOS NetX
• Nucleus NET (vulnerable version: 4.3) - part of the Nucleus RTOS maintained by Mentor Graphics, a Siemens business, it is used in medical, industrial, consumer, aerospace, and Internet of Things devices

 

According to Forescout, in hypothetical but plausible scenarios, threat actors could exploit NAME:WRECK vulnerabilities to deal significant damage to government or enterprise servers, healthcare facilities, retailers, or companies in the manufacturing business by stealing sensitive data, modifying or taking equipment offline for sabotage purposes.

 

 

Attackers could also tamper with critical building functions in residential or commercial locations to control heating and ventilation, disable security systems or tamper with automated lighting systems

 

 

The NAME:WRECK vulnerabilities

The researchers analyzing the DNS implementations in the above-mentioned TCP/IP stacks looked at the message compression feature of the protocol.

 

It is not uncommon for DNS response packets to include the same domain name or a part of it more than once, so a compression mechanism exists to reduce the size of DNS messages.

Not just DNS resolvers benefit from this encoding as it is present in multicast DNS (mDNS), DHCP clients, and IPv6 router advertisements.

 

Forescout explains in a report today that the feature is also present in many implementations, although some protocols do not officially support compression. This occurs “because of code reuse or a specific understanding of the specifications.”

 

The researchers note that implementing the compression mechanism has been a tall order, as highlighted by more than a dozen vulnerabilities discovered since the year 2000.

 

It must be noted that not all NAME:WRECK can be exploited to achieve the same results. The potential impact for the most severe of them is remote code execution, with the highest severity score being calculated to 9.8 out of 10.

 

Below is a rundown of all nine vulnerabilities, their identification numbers, and their severity score.

 

CVE ID	Stack	Description	Affected feature	Potential Impact	Severity Score
CVE-2020-7461	FreeBSD	-boundary error when parsing option 119 data in DHCP packets in dhclient(8) - attacker on the network can send crafted data to DHCP client	Message compression	RCE	7.7
CVE-2016-20009	IPnet	- stack-based overflow on the message decompression  function	Message compression	RCE	9.8
CVE-2020-15795	Nucleus NET	- DNS domain name label parsing functionality does not properly validate the names in DNS responses - parsing malformed responses could result in a write past the end of an allocated structure	Domain name label parsing	RCE	8.1
CVE-2020-27009	Nucleus NET	- DNS domain name record decompression functionality does not properly validate the pointer offset values - parsing malformed responses could result in a write past the end of an allocated structure	Message compression	RCE	8.1
CVE-2020-27736	Nucleus NET	- DNS domain name label parsing functionality does not properly validate the name in DNS responses - parsing malformed responses could result in a write past the end of an allocated structure	Domain name label parsing	DoS	6.5
CVE-2020-27737	Nucleus NET	- DNS response parsing functionality does not properly validate various length and counts of the records - parsing malformed responses could result in a read past the end of an allocated structure	Domain name label parsing	DoS	6.5
CVE-2020-27738	Nucleus NET	- DNS domain name record decompression functionality does not properly validate the pointer offset values - parsing malformed responses could result in a read access past the end of an allocated structure	Message compression	DoS	6.5
CVE-2021-25677	Nucleus NET	- DNS client does not properly randomize DNS transaction ID (TXID) and UDP port numbers	Transaction ID	DNS cache poisoning/spoofing	5.3
*	NetX	- two functions in the DNS resolver fo not check that the compression pointer does not equal the same offset currently being parsed, potentially leading to infinite loop	Message compression	DoS	6.5

 

As seen in the table above, not all vulnerabilities relate to message compression. These exceptions are a byproduct of the research and can be chained with the others to amplify the effects of the attack.

 

Another exception is CVE-2016-20009. Originally discovered by Exodus Intelligence in 2016, the bug did not receive a tracking number. Although the product is no longer maintained (end-of-life), it is still in use today.

Forescout asked Wind River to file for a CVE but the company did not take any action for months. As such, the company asked Exodus Intelligence for the same thing and the flaw received an identifier in January 2021.

An attacker exploiting a single bug may not achieve much but they can potentially wreak havoc by combining them.

 

For instance, they can exploit one flaw to be able to write arbitrary data into sensitive memory locations of a vulnerable device, another to inject code in a packet, and a third one to deliver it to the target.

The report from Forescout dives deep into technical details about how exploitation may lead to a successful remote code execution attack by leveraging several of the NAME:WRECK vulnerabilities as well as bugs from the AMNESIA:33 collection, that the company discovered in open source TCP/IP stacks.

 

The company also discusses multiple implementation issues that keep repeating in DNS message parsers, referred to as anti-patterns, which are the cause of the NAME:WRECK vulnerabilities:

 

- Lack of TXID validation, insufficiently random TXID and source UDP port

- Lack of domain name character validation

- Lack of label and name lengths validation

- Lack of NULL-termination validation

- Lack of the record count fields validation

- Lack of domain name compression pointer and offset validation

 

Patches for NAME:WRECK are available for FreeBSD, Nucleus NET, and NetX, and eliminating the issues is possible if the fixes trickle down to the affected products.

 

As such, it is now up to the device vendors to apply the corrections to the products that can still be updated. This process, however, is unlikely to have a 100% success rate, though, as several obstacles are in the way.

First of all, operators need to determine the TCP/IP stack running on affected devices. This is not always an easy task because sometimes even the device vendor does not know.

 

Another hurdle is applying the patch, which, in many cases, needs to be installed manually because there is no centralized management. Add to this a critical device that cannot be taken offline for the update procedure and it becomes clear why a 100% patching rate is virtually impossible.

 

“Even worse, we found that new firmware sometimes runs unsupported versions of an RTOS that may have known vulnerabilities [e.g. CVE-2016-20009]. This is extremely concerning since assuming that a new firmware is not vulnerable might lead to serious blind spots in network risk assessment” - Forescout

 

However, there is mitigation information that security engineers can use to develop signatures that detect DNS vulnerabilities:

- Discover and inventory devices running the vulnerable stacks

- Enforce segmentation controls and proper network hygiene

- Monitor progressive patches released by affected device vendors

- Configure devices to rely on internal DNS servers

- Monitor all network traffic for malicious packets

 

Furthermore, Forescout makes available two open-source tools that can help determine if a target network device runs a specific embedded TCP/IP stack (Project Memoria Detector) and for detecting issues similar to NAME:WRECK (works with Joern).

 

 

Source: NAME:WRECK DNS vulnerabilities affect over 100 million devices

[aum]

New NAME:WRECK Vulnerabilities Impact Nearly 100 Million IoT Devices

 

 

Security researchers have uncovered nine vulnerabilities affecting four TCP/IP stacks impacting more than 100 million consumer and enterprise devices that could be exploited by an attacker to take control of a vulnerable system.

 

Dubbed "NAME:WRECK" by Forescout and JSOF, the flaws are the latest in series of studies undertaken as part of an initiative called Project Memoria to study the security of widely-used TCP/IP stacks that are incorporated by various vendors in their firmware to offer internet and network connectivity features.

 

"These vulnerabilities relate to Domain Name System (DNS) implementations, causing either Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to take target devices offline or to take control over them," the researchers said.

 

The name comes from the fact that parsing of domain names can break (i.e., "wreck") DNS implementations in TCP/IP stacks, adding to a recent uptick in vulnerabilities such as SigRed, SAD DNS, and DNSpooq that leverage the "phonebook of the internet" as an attack vector.

 

They also mark the fifth time security weaknesses have been identified in the protocol stacks that underpin millions of internet-connected devices —

• URGENT/11
• Ripple20
• AMNESIA:33, and
• NUMBER:JACK

Specifically, the latest research offers a closer look at the "message compression" scheme used in the DNS protocol that "eliminates the repetition of domain names in a message" with the intent of reducing the size of messages, uncovering multiple flaws in FreeBSD (12.1), IPnet (VxWorks 6.6), Nucleus NET (4.3), and NetX (6.0.1) stacks.

 

 

In a plausible real-world attack scenario, adversaries can exploit these flaws to find their way into an organization's network via an internet-facing device that issues DNS requests to a server and exfiltrate sensitive information, or even use them as a stepping stone to sabotage critical equipment.

 

With the exception of IPnet, FreeBSD, Nucleus NET, and NetX have all released patches, requiring device vendors using vulnerable versions of the software to ship an updated firmware to their customers.

 

But as with the previous flaws, there are several hurdles to applying the fixes, what with the lack of information regarding the TCP/IP stack that runs on a device, the difficulty in delivering patches because the devices are not centrally managed, or they cannot be taken offline due to their central role in mission-critical processes like healthcare and industrial control systems.

 

In other words, besides the effort required to identify all the vulnerable devices, it could take a considerable amount of time before the security patches trickle down from the stack vendor to the firmware of the device.

 

Even worse, in some cases, it may never be feasible to push a patch, as a result of which many of the impacted devices will most likely remain exposed to attacks for years to come or until they are decommissioned.

 

While a quick fix may not be in sight, the bright spot in the findings is that there are mitigations that make it easier to detect attempts to take advantage of these flaws. For a start, Forescout has released an open-source script to detect devices running the affected stacks. In addition, the researchers also recommend enforcing network segmentation controls until the patches are in place and monitoring all network traffic for malicious packets that attempt to exploit flaws targeting DNS, mDNS, and DHCP clients.

 

The study is also expected to be presented at the Black Hat Asia 2021 conference on May 6, 2021.

 

"NAME:WRECK is a case where bad implementations of a specific part of an RFC can have disastrous consequences that spread across different parts of a TCP/IP stack and then different products using that stack," the researchers said.

 

"It is also interesting that simply not implementing support for compression (as seen for instance in lwIP) is an effective mitigation against this type of vulnerability. Since the bandwidth saving associated with this type of compression is almost meaningless in a world of fast connectivity, we believe that support for DNS message compression currently introduces more problems than it solves."

 

Source