More than 100 million consumer and enterprise IoT devices are believed to be affected by a new set of DNS vulnerabilities, according to Forescout and the Israeli consultancy firm JSOF.
The vulnerabilities, collectively named Name:Wreck, are related to DNS implementations in popular TCP/IP network communication stacks and affect the free IT software FreeBSD and the IoT/OT firmware IPnet, Nucleus NET and NetX.
In total, 9 vulnerabilities were identified which could allow remote code execution or denial of service. The researchers note that IoT devices running the above software are not necessarily vulnerable, but the researchers say a conservative estimate of 1% of the 10 billion deployments worldwide would mean more than 100 million devices are vulnerable and could be exploited, including IoT devices used by governments, healthcare, retail, and manufacturing.
The vulnerabilities could be exploited to gain access to enterprise or government networks to steal data and denial of service attacks could be conducted to disrupt critical processes to extort money from targeted companies.
Vulnerable versions of the software and firmware are present in the message compression and domain name
label parsing features. Exploiting one of the vulnerabilities may not allow the attacker to achieve a great deal, but the vulnerabilities could be chained with other Name:Wreck vulnerabilities or flaws in the AMNESIA:33 collection to cause significant damage.
- FreeBSD – Version 12.1 – CVE-2020-7461
- IPnet – VxWorks 6.6 – CVE-2016-20009
- NetX – Version 6.0.1 – No CVE at present
- Nucleus NET – Version 4.3 – CVE-2020-15795, CVE-2020-27009, CVE-2020-27736, CVE-2020-27737, CVE-2020-27738, CVE-2021-25677
The vulnerabilities range in severity from CVSS v3.1 5.3 to 9.8. The researchers explain that in one attack scenario, an attacker could exploit CVE-2020-27009 and craft a DNS response packet that would allow arbitrary data to be written into sensitive parts of a device’s memory where code will be injected. CVE-2020-15795 could then be exploited to craft meaningful code to be injected, and then the attacker could bypass the DNS query-response matching using CVE-2021-25667 to deliver the malicious packet to the targeted device, thus gaining remote access and full control of that device.
Patches to fix the vulnerabilities have been released for FreeBSN, Nucleus NET and Net X; however, it may not be easy to apply those patches, since many IoT devices are used to control mission critical systems that cannot easily be taken offline. In such cases it is important to implement mitigations that make it harder for the vulnerabilities to be exploited and limit the harm that can be caused should threat actors target the vulnerabilities.
Mitigations include identifying all vulnerable devices, using internal DNS servers wherever possible, implementing segmentation to reduce network exposure, and monitoring network traffic for malicious packets.