TCP/IP Vulnerabilities Threaten IoT Devices

Forescout has just disclosed the existence of a set of TCP / IP vulnerabilities in FreeBSD and three other operating systems designed for IoT: Nucleus NET, IPNet, and NetX. That’s a total of nine vulnerabilities that could potentially affect 100 million IoT devices.

Security researchers at Forescout are calling these vulnerabilities “NAME: WRECK” because of the way they affect the Domain Name System (DNS) protocol. The name comes from the fact that domain name parsing can break (i.e., “destroy”) DNS implementations in TCP / IP.

According to the Forescout researchers, they are associated with the way DNS protocols are executed and can pave the way for Denial of Service (DoS) attacks or remote code execution. As a result, potential attackers can cause target systems to shut down or take control of them.

Remember that DNS is a complex protocol that tends to generate vulnerable implementations, and these vulnerabilities can often be leveraged by outside attackers to take control of millions of devices simultaneously.

Specifically, the report offers a closer look at the “message compression” scheme used in the DNS protocol that “eliminates the repetition of domain names in a message” with the intention of reducing the size of messages.

According to Forescout, the health and government industries are the most affected when we consider the FreeBSD, Nucleus NET, and NetX stacks. In this group alone and conservatively assuming that only 1% of the more than 10 billion deployments are vulnerable, Forescout estimates that at least 100 million devices have been affected by the NAME:WRECK vulnerabilities.

Protecting against NAME:WRECK failures require patches to be installed on devices using the vulnerable versions of TCP/IP stacks. Forescout points out these four stacks have recently been corrected and that the respective suppliers of types of equipment using them are expected to provide their own updates as well.

With the exception of IPnet, patches have already been released for FreeBSD, Nucleus NET, and NetX, requiring vendors to ship updated firmware to their customers.

However, installing patches cannot always be put into practice – for example, when IoT devices are installed in hard-to-reach places. In these cases, Forescout suggests adopting mitigation measures. The first step is identifying which devices are using the vulnerable TCP/IP stacks. Forescout itself released an open source script that detects such devices. The next step is imposing segmentation controls to mitigate risks and restricting external communication routes or, if possible, isolating vulnerable devices until they can be fixed with patches. Another measure is configuring vulnerable devices to rely only on internal DNS servers whenever possible and closely monitoring external DNS traffic since potential intrusions depend on malicious DNS servers. And, finally, monitoring network traffic for packets trying to exploit these vulnerabilities.

Procedures similar to those used by NAME:WRECK cannot be ruled out for any other TCP/IP stack that has not yet been analyzed. Researchers have yet to find evidence that attackers are actively exploiting these vulnerabilities.

NOME: WRECK is the third report by PROJECT: MEMORIA which was launched in 2020 by Forescout to identify TCP/IP stack vulnerabilities. The previous issues are AMNESIA: 33 and NUMBER: JACK.

The positive in the findings is that there are mitigations that make it easier to detect attempts to use these flaws.

For starters, Forescout has released an open source script to detect devices running the affected stacks. In addition, the researchers also recommend enforcing network segmentation controls until the patches are in place and monitoring all network traffic for malicious packets that try to exploit the flaws by targeting DNS, mDNS, and DHCP clients.