Security researchers at IoT enterprise security firm Forescout and Israeli security research group JSOF recently discovered nine vulnerabilities affecting four TCP/IP protocol stacks affecting more than 100 million user and enterprise devices. Attackers can exploit these vulnerabilities to take control of the system.
The vulnerabilities, dubbed “WRECK,” are the latest in a program called Projrct Memoria. The project aims to study the security of the widely used TCP/IP stacks that are incorporated into their firmware by various vendors to provide Internet and network connectivity.
The researchers say the vulnerabilities are related to the implementation of the Domain Name System (DNS). They cause a Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to take target devices offline or take control of them.
This is the fifth time a security flaw has been found in the protocol stack that powers millions of internet-connected devices.
Problems in the four TCP/IP stacks
FreeBSD (Vulnerable version: 12.1) – One of the most popular operating systems in the BSD family.
IPnet (Vulnerable version: VxWorks 6.6) – Originally developed by Interpeak, now maintained by WindRiver and used by the VxWorks Real Time Operating System (RTOS).
NetX (vulnerable version: 6.0.1) – part of the ThreadX RTOS, which is now an open source project maintained by Microsoft under the name Azure RTOS NetX.
Nucleus NET (Vulnerable Version: 4.3) – Part of the Nucleus RTOS maintained by Mentor Graphics, a Siemens company, and used in medical, industrial, consumer, aerospace and IoT devices.
According to Forescout, hackers are likely to exploit these vulnerabilities to steal sensitive data, modify or take devices offline for sabotage purposes, causing significant damage to government or enterprise servers, medical facilities, retailers or manufacturing companies.
Attackers could also tamper with critical building functions in residential or commercial premises to control heating and ventilation, disable security systems or tamper with automated lighting systems.
When analyzing the DNS implementation in the aforementioned TCP/IP stack, the researchers looked at the protocol’s message compression capabilities.
It is not uncommon for DNS response packets to contain the same domain name or part of a domain name, so a compression mechanism exists to reduce the size of DNS messages.
In an April 13 report, Forescout explained that while some protocols do not officially support compression, the feature also exists in many real-world operations. This happens “due to code reuse or a special understanding of the specification”.
However, not all NAME:WRECKs can be exploited to the same effect. One of the most potentially impactful is the remote code execution vulnerability, which calculated the highest severity score of 9.8 out of 10.
Below is a summary of all 9 vulnerabilities, their identification numbers, and their severity scores.
As can be seen from this table, not all vulnerabilities are related to information compression. These exceptional vulnerabilities are by-products of research and can be chained with other vulnerabilities to amplify the effect of an attack.
Forescout’s report delves into the technical details of exploiting several NAME:WRECK vulnerabilities discovered by the company in the open-source TCP/IP stack, as well as vulnerabilities in the AMNESIA:33 collection, that could lead to a remote code execution attack.
The company also discussed multiple recurring execution issues in DNS message resolvers, known as anti-patterns, that are responsible for the NAME:WRECK vulnerability:
Lack of TXID validation, insufficient random TXID and source UDP port
Missing Domain Character Validation
Missing label and name length validation
Missing NULL-terminated validation
Missing record count field validation
Missing Domain Compression Pointers and Offset Validation
FreeBSD, Nucleus NET, and NetX all provide patches for NAME:WRECK, which can be resolved by installing fixes on affected products.
However, this process is unlikely to have a 100% success rate because of several obstacles:
First, the operator needs to determine the TCP/IP stack running on the affected device. It’s not always easy, because sometimes even the equipment vendor doesn’t know it.
Another hurdle is applying patches, which in many cases require manual installation.
Security engineers can use some mitigation information to develop signatures that detect DNS vulnerabilities:
Discover and inventory devices running vulnerable stacks
Enforce segmentation controls and proper cyber hygiene
Monitor incremental patches released by affected device vendors
Configure the appliance to rely on internal DNS servers
Monitors all network traffic for malicious packets
In addition, Forescout provides two open source tools that can help determine if a target network device is running a specific embedded TCP/IP stack (Project Memoria Detector) and for detecting issues like NAME:WRECK (in collaboration with Joern).