Researchers at Forescout and JSOF discovered nine vulnerabilities in four TCP/IP stacks that could open the floodgates for attackers to remotely take over devices, perform remote code execution, and cause denial of service (DoS).
Over 100 million internet-facing devices are vulnerable to exploitation, thanks to a certain set of vulnerabilities in their TCP/IP stacks. Dubbed NAME:WRECK, these nine vulnerabilities in the Domain Name Server (DNS) enforcement impact how these devices communicate with each other and the remainder of the internet.
Impacted TCP/IP stacks include Nucleus NET, FreeBSD, IPnet, and NetX. These four communication stacks are implemented to handle networking functions such as DNS requests, support internet connectivity, etc., in several types of internet-connected devices such as servers, industrial internet of things (IIoT) devices, smartphones (and other smart devices), medical equipment and more, creating a significantly large attack surface.
Used in congruence with TCP/IP, DNS is an internet protocol that helps machines translate human-readable URLs (for example, www.google.comOpens a new window ) into unique machine-readable numeric equivalents (8.8.8.8). Essentially, “the Domain Name System (DNS) is the phonebook of the Internet,†according to web infra and security company CloudflareOpens a new window .
The exploitation of the newly discovered NAME:WRECK vulnerabilities can expose these devices to remote code execution (RCE) and denial of service (DoS) attacks. It can also enable threat actors to carry out attacks even when offline and victimize operators/owners of said devices through a complete takeover.
Researchers from Forescout explained, “Organizations in the Healthcare and Government sectors are in the top three most affected for all three stacks. If we conservatively assume that 1% of the more than 10 billion deployments discussed above are vulnerable, we can estimate that at least 100 million devices are impacted by NAME:WRECK.â€
Discovered by IoT security company Forescout and Israeli cybersecurity company JSOF Research, NAME:WRECK is the fifth set of TCP/IP vulnerabilities discovered in the past three years. Other previously discovered ones include URGENT/11Opens a new window , Ripple20Opens a new window , Amnesia:33Opens a new window , NUMBER:JACKOpens a new window .
See Also: 5 Ways to Prevent a Physical Breach from Compromising Network Security
Part of the reason why so many flaws are coming to light, according to Ang Cui, CEO, Red Balloon, is because of the evolution of new-age technology around legacy networking protocols. Cui told WIREDOpens a new window , “For better or worse, these devices have code in them that people wrote 20 years ago — with the security mentality of 20 years ago.â€
“And it works; it never failed. But once you connect that to the internet, it is insecure. And that is not that surprising, given that we have had to really rethink how we do security for general-purpose computers over those 20 years,†he adds.
The nine NAME:WRECK vulnerabilities corresponding to the stack they affect are:
| Sr. No. | Vulnerability | CVSS Score | Severity | Stack Affected | Can Cause |
| 1 | CVE-2016-20009Opens a new window | 9.8 | Critical | IPnet | RCE |
| 2 | CVE-2020-15795Opens a new window | 8.1 | High | Nucleus NET | RCE |
| 3 | CVE-2020-27009Opens a new window | 8.1 | High | Nucleus NET | RCE |
| 4 | CVE-2020-7461Opens a new window | 7.3 | High | FreeBSD | RCE |
| 5 | CVE-2020-27736Opens a new window | 6.5 | Medium | Nucleus NET | DoS |
| 6 | CVE-2020-27737Opens a new window | 6.5 | Medium | Nucleus NET | DoS |
| 7 | CVE-2020-27738Opens a new window | 6.5 | Medium | Nucleus NET | DoS |
| 8 | CVE-2020-25677Opens a new window | 5.5 | Medium | Nucleus NET | DNS Cache Poisoning |
| 9 | Untracked | 6.5 | Medium | NetX | DoS |
Â
Of these, CVE-2016-20009 — which resides in IPnet (VxWorks 6.6) — has the highest CVSS score, meaning it is the most readily exploitable bug. IPNet is generally used by enterprises for networking through internet-facing devices like routers, modems, printers, firewalls, etc. A successful exploit via the message decompression technique can enable attackers with remote code execution.
Three (CVE-2020-15795, CVE-2020-27009, and CVE-2020-7461) of the remaining eight vulnerabilities were rated ‘High’ in severity, two of which exist in all versions before the 5.2 release of the Nucleus NET stack. Nucleus NET is leveraged by the Nucleus RTOS, which is used in over 3 billion devices across storage, electric systems for aviation, medicine, etc.
Mitigations
Patches for the vulnerabilities have been released, albeit not for all four TCP/IP stacks. With the exception of IPnet, patches for all other stacks (Nucleus NETOpens a new window , FreeBSDOpens a new window , NetXOpens a new window ) are available.
Besides security patches, Forescout has also made available an open-source scriptOpens a new window for the discoverability of affected devices using any of these stacks.
Organizations should also:
- Implement network segmentation, disconnect devices from the internet, and limit external communication until appropriate patches are installed
- Configure devices to rely on internal DNS servers where possible
- Monitor external DNS traffic, as well as all network traffic for malicious packets
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!