Experts from the Forescout Research Labs and the JSOF Research team have discovered a set of nine DNS-related vulnerabilities affecting four popular TCP/IP stacks (FreeBSD, Siemens Nucleus NET, IPnet, and NetX), and by extension, over 100 million IoT, OT, and IT devices that rely on them. Called “Name:Wreck”, the flaws introduce denial of service and remote code execution risks, enabling actors to take full control of the vulnerable devices or render them useless.
The set of the identified vulnerabilities are the following:
As for the vulnerable stacks, the researchers can confirm the following versions as exploitable:
A typical attack would begin with a DNS request to a vulnerable server, resulting in the establishment of initial access to the organization’s network. From there, lateral movement in the network becomes possible via code execution and DHCP requests. And finally, the attacker could perform data exfiltration from the compromised servers.
The estimated impact on product categories covers mobile phones, various IoTs used in home or office, retail automation systems, industrial automation solutions, communication and networking, aerospace and defense, automotive and transportation, and even medical devices. The researchers clarify that the 100 million estimate is very conservative and that, in reality, the number of the affected devices could be way higher.
Patching them all is also very complicated, if not outright impossible. It would require identifying what OS is running on the IoT devices, obtain the versions of currently installed packages, and then push updates down to the consumer level. Even if the patches trickle down from the stack vendor to the device's firmware, considering those devices aren’t centrally managed, the fixing patches will need to be manually applied. For example, medical and industrial control systems that are rarely taken offline are very unlikely to ever apply such fixes.
What this leaves us with is mitigations, so here are the suggestions of the researchers: