Millions of connected servers, firewalls, network appliances, medical devices and industrial control units could be at risk after major vulnerabilities were discovered in a basic internet protocol suite.
The nine vulnerabilities affecting four popular TCP/IP stacks (FreeBSD, Nucleus NET, IPnet and NetX) were revealed this week by researchers at Forescout in San Jose, Calif., and JSOF Research in Israel.
Collectively the vulnerabilities are called Name:Wreck, which refers to how the parsing of domain names can break – “wreck” – DNS implementations in TCP/IP stacks, leading to denial of service or remote code execution attacks.
TCP/IP stacks are the communications protocols used for organizing data transmissions from devices across the internet. A number of companies make stacks for their own or other products.
“These vulnerabilities relate to Domain Name System (DNS) implementations, causing either denial of service (DoS) or remote code execution (RCE), allowing attackers to take target devices offline or to take control over them,” the researchers reported. “The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface. This research is further indication that the community should fix DNS problems that we believe are more widespread than what we currently know.”
The three affected stacks are:
Nucleus NET, part of the Nucleus RTOS. The Nucleus RTOS website mentions that more than 3 billion devices use this real-time operating system, such as ultrasound machines, storage systems, critical systems for avionics and others. The most common types of devices running Nucleus RTOS include building automation, operational technology and VoIP;
FreeBSD, used for high-performance servers in millions of IT networks and is also the basis for open-source projects such as firewalls and several commercial network appliances. It is more commonly found running computers, printers and networking equipment;
NetX, usually run by the ThreadX RTOS. Its typical applications include medical devices, systems-on-a-chip and several printer models. ThreadX was known to have 6.2 billion deployments in 2017, with mobile phones (probably in baseband processors), consumer electronics and business automation being the most common product categories. The most common device types running ThreadX include printers, smart clocks and, energy and power equipment in industrial control systems.
Researchers urge developers and vendors using these three software stacks in their products to update them as soon as possible and alert customers.
CISOs should ensure products running these stacks have been patched. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running the affected stacks.
As part of its regular security advisories, industrial equipment manufacturer Siemens released patches and mitigations on April 13 for products with Name:Wreck vulnerabilities.
According to SecurityWeek, these include Nucleus 4, Nucleus NET, Nucleus RTOS, Nucleus ReadyStart, and VSTAR, as well as the Nucleus source code.
If patching isn’t possible, the Forescout/JSOF report recommends CISOs
- Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths, and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they are.
- Monitor progressive patches released by affected device vendors and devise a remediation plan for the vulnerable asset inventory, balancing business risk and business continuity requirements.
- Configure devices to rely on internal DNS servers as much as possible and closely monitor external DNS traffic since exploitation requires a malicious DNS server to reply with malicious packets.
- Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible zero-days affecting DNS, mDNS and DHCP clients.
Researchers say to exploit Name:Wreck vulnerabilities, an attacker must adopt a similar procedure for any TCP/IP stack. This means that the same detection technique used to identify exploitation will also detect exploitation on other TCP/IP stacks and products that haven’t been analyzed yet.
The discovery of Name:Wreck is the latest part of an investigation started last year into TCP/IP stack problems called Project Memoria. Not only are TCP/IP stacks widespread, researchers note, but they’re also notoriously vulnerable due to decades-old codebases and an attractive attack surface.
Other groups of vulnerabilities found so far include:
- Ripple20, a set of 19 vulnerabilities on the Treck TCP/IP stack released by JSOF in June 2020;
- Amnesia:33, a set of 33 memory-corrupting vulnerabilities;
- Number:Jack, nine vulnerabilities in multiple TCP/IP stacks that can improperly generate ISNs (Initial Sequence Numbers) within TCP connections, leaving a device’s TCP connections open to attacks.
The latest report “is further proof that DNS protocol complexity leads to several vulnerable implementations,” say the authors, “and that the [IT] community should act to fix a problem that we believe is more widespread of what we currently know.”
They urge developers of TCP/IP stacks that have yet to be analyzed to take the anti-patterns available in a technical report, check their code for the presence of bugs and fix them.
To help with this process, an open-source code developed for the Joern static analysis tool is available. It formalizes the anti-patterns Project Memoria has identified, allowing researchers and developers to analyze other stacks for similar vulnerabilities automatically.