JSOF team together with Forescout Research Labs, have revealed a set of nine vulnerabilities related to Domain Name System (DNS) implementations, causing either Denial of Service (DoS) or Remote Code Execution (RCE).
This vulnerability set, known as NAME: WRECK, could potentially allow attackers to take target devices offline or take control over them.
NAME:WRECK Affects Four Popular TCP/IP Stacks
- FreeBSD: Commonly used in computers, printers, and networking devices found on Device Cloud.
- IPNet: Integrator solution offered by IPNet Solutions, geared for enterprise and telecom markets.
- NetX: Common product categories include mobile phones, consumer electronics, and business automation, in devices such as printers, smart clocks, systems-on-a-chip, and energy & power equipment in Industrial Control Systems (ICS).
- Nucleus NET: Part of Nucleus RTOS, and deployed in over 3 billion devices. Commonly used in building automation, operational technology, and VoIP, as well as ultrasound machines, storage systems, and critical systems for avionics.
The extensive use of these stacks, together with external exposure of the vulnerable DNS clients, affects a significantly increased attack surface.
Still, the most conservative estimates conclude that millions of devices are impacted by NAME: WRECK.
The attacker obtains Initial Access into an organization’s network (step 1) by compromising a device issuing DNS requests to a server on the internet. To obtain initial access, the attacker can exploit one of the RCEs affecting Nucleus NET. The compromise can happen, for instance, by weaponizing the exploitation.
After the initial access, the attacker can use the compromised entry point to set up an internal DHCP server and do a Lateral Movement (step 2) by executing malicious code on vulnerable internal FreeBSD servers broadcasting DHCP requests.
Finally, the attacker can use those internal compromised servers to Persist on the target network or to Exfiltrate data (step 3) via the internet-exposed IoT device.
Researchers estimate that at least 100 million devices are impacted by NAME: WRECK.
- Discover and inventory devices running the vulnerable stacks
- Enforce segmentation controls and proper network hygiene
- Monitor progressive patches released by the affected device vendors
- Configure devices to rely on internal DNS servers
- Monitor all network traffic for malicious packets
Therefore, it is noteworthy that when a stack has a vulnerable DNS client, there are often several vulnerabilities together, but the message compression anti-pattern stands out because it commonly leads to potential RCEs, as it is often associated with pointer manipulation and memory operations.