Researchers have estimated more than 100m internet-connected devices are vulnerable to a class of vulnerabilities dubbed NAME:WRECK.
How this class of vulnerabilities will impact millions of connected devices & potentially ‘wreck’ the day of IT security professionals is open to debate.
Devices ranging from smartphones, aircraft navigation systems & industrial internet of things (IIoT) endpoints are vulnerable to either a denial-of-service (DoS) or remote code-execution (RCE) attack, according to a joint report by Forescout Research Labs and JSOF Research Labs. Patches are available for some affected vendors.
9 vulnerabilities were identified within the implementation of the Domain Name System (DNS) protocol used by TCP/IP network communication stacks. These 2 technologies are used together to uniquely identifying devices connected to the internet & facilitate digital communications between them. The most serious of the flaws are rated critical in severity.
“The widespread deployment & often external exposure of vulnerable DNS clients leads to a dramatically increased attack surface,” researchers outlined in a report released Tuesday (PDF). “We can estimate that at least 100m devices are impacted by NAME:WRECK.”
NAME:WRECK Bugs Break-Down
Under the auspices of the research collective known as Project Memoria, NAME:WRECK is the 5th set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past 3 years. Those that have come before are URGENT/11, Ripple20, Amnesia:33 & NUMBER:JACK (also discovered by Project Memoria & Forescout).
Forescout & JSOF researchers divide the 9 NAME:WRECK vulnerabilities into 4 subcategories of devices dependent on the DNS & TCP/IP stacks (or firmware) used inside them. The categories include the FreeBSD, IPnet, Nucleus NET & NetX – each common in IoT and operational technology (OT) systems.
Researchers explained that the origin of the name NAME:WRECK is based on “how the parsing of domain names can break – ‘wreck’ – DNS implementations in TCP/IP stacks, leading to denial of service or remote code-execution.”
NAME:WRECK is similar to earlier TCP/IP-DNS bugs that show the complexity of the DNS protocol “that tends to yield vulnerable implementations,” where bugs can often be used by external attackers to take control of millions of devices simultaneously, researchers observed.
DNS Compression Bug
One of the class of NAME:WRECK bugs are identified as DNS compression issues, affecting a wide range of devices that compress data used to communicate over the internet using TCP/IP.
“With the 1st vulnerability, CVE-2020-27009, the attacker can craft a DNS response packet with a combination of invalid compression pointer offsets that allows them to write arbitrary data into sensitive parts of a device’s memory, where they will then inject the code,” researchers wrote.
“The 2nd vulnerability, CVE2020-15795, allows the attacker to craft meaningful code to be injected by abusing very large domain name records in the malicious packet. Finally, to deliver the malicious packet to the target, the attacker can bypass DNS query-response matching using CVE-2021-25667,” they wrote.
The technical specifics are complicated but come down to how a domain name (like Google.com) is encoded within the TCP/IP stack as a sequence of labels “terminated by the NULL byte (0x00).”
This process of encoding & compressing domain names is meant to reduce the size of the DNS messages. However, hackers could exploit vulnerabilities within the TCP/IP stack to force the unpacking of compressed domain names in a malicious manner, opening the devices running the TCP/IP stack to come under attack.
Invalid Compression Offsets
“By carefully choosing a combination of invalid compression offsets placed in a DNS packet, attackers can perform controlled out-of-bounds writes into the destination buffer ‘dst,’ potentially achieving remote code-execution,” researchers wrote.
As for the attack vector, researchers suggested, “The easiest way to construct a payload that will overflow name & overwrite heap metadata is to chain multiple domain labels.”
Researchers also identified other types of NAME:WRECK flaws, such as domain name label-parsing bugs, message-compression vulnerabilities & a VDomain name label-parsing bugs.
9 NAME:WRECK Bugs
These are the vulnerability CVE tracking numbers & the type of TCP/IP stacks impacted:
- CVE-2020-7461: A message compression bug impacting devices running FreeBSD & can lead to RCE (CVSS severity rating 7.7);
- CVE-2016-20009: A message compression bug impacting devices running IPnet & can lead to RCE (CVSS severity rating 9.8);
- CVE-2020-15795: A domain name label-parsing bug impacting devices running Nucleus NET & can lead to RCE (CVSS severity rating 8.1);
- CVE-2020-27009: A message-compression bug impacting devices running Nucleus NET & can lead to RCE (CVSS severity rating 8.1);
- CVE-2020-27736: A VDomain name label-parsing bug impacting devices running Nucleus NET & can lead to DoS (CVSS severity rating 6.5);
- CVE-2020-27737: A VDomain name label-parsing bug impacting devices running Nucleus NET & can lead to DoS (CVSS severity rating 6.5);
- CVE-2020-27738: A message-compression bug impacting devices running Nucleus NET & can lead to DoS (CVSS severity rating 6.5);
- CVE-2021-25677: A transaction-ID bug impacting devices running Nucleus NET & can lead to DNS cache-poisoning attacks (CVSS severity rating 5.3);
- And one CVE-unassigned: A message-compression bug impacting devices running NetX & can lead to DNS cache- poisoning attacks (CVSS severity rating 6.5).
Mitigate NAME:WRECK Bugs?
Researchers are recommending that users & IT security staff discover & inventory devices running the vulnerable stacks. Forescout is making available an open-source script to fingerprint impacted devices.
Researchers also recommended the implementation of device & network-segmentation controls & restricting external communication to vulnerable devices until they are patched or removed from the network; & of course, users should patch devices as fixes become available.
Configure Vulnerable Devices
Also, users should configure vulnerable devices to run on internal DNS servers, & monitor network traffic for malicious packets attempting to exploit NAME:WRECK vulnerabilities or any bug affecting DNS, mDNS & DHCP clients.