Name:Wreck DNS Bugs Put IoT Devices At Risk
The New DNS Vulnerabilities Could Impact Millions of IoT Devices Worldwide If Not Patched.
Security experts from Forescout and JSOF have discovered a new set of DNS vulnerabilities that could impact more than 100 million IoT devices used by consumers and organizations. They have labeled them Name:Wreck and published a report in this regard.
The Name:Wreck vulnerabilities affect four TCP/IP stacks – FreeBSD, IPnet, Nucleus NET, and NetX, which are present in well-known IT software and IoT/OT firmware, potentially impacting organizations in the government, enterprise, healthcare, manufacturing, and retail sectors.
FreeBSD, for instance, is used for high-performance servers in millions of IT networks, including major web destinations such as Netflix and Yahoo. Meanwhile, Nucleus NET IoT/OT has been used for decades in critical OT firmware such as Siemens, as well as in IoT devices.
In the U.S. alone, more than 180,000 devices are believed to be affected and over 36,000 devices were impacted by Name:Wreck in the UK. If exploited, bad actors can use them to take target devices offline or assume control of their operations.
According to Forescout Research Manager Daniel dos Santos,
NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large scale disruption. Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organizations to make sure they have the most up to date patches for any devices running across these affected IP Stacks.
In the attack scenario, the attacker obtains Initial Access into an organization’s network by compromising a device issuing DNS requests to an Internet server. To gain initial access, the attacker can exploit one of the RCEs affecting Nucleus NET. The compromise can happen, for example, by weaponizing the exploitation.
Image Source: FORESCOUT
DNS-based vulnerabilities require the attacker to reply to a legitimate DNS request with a malicious packet. That can be achieved by exploiting the queried DNS servers. Servers or forwarders vulnerable to DNSpooq and similar vulnerabilities could be exploited to reply with malicious messages carrying a weaponized payload.
After the initial access, the hacker can use the compromised entry point to set up an internal DHCP server and do a Lateral Movement by executing malicious code on vulnerable internal servers.
Finally, the attacker can use those internal compromised servers to Persist on the target network or to Exfiltrate data through the Internet-exposed IoT device.
According to Help Net Security, some hypothetical but entirely plausible consequences of exploiting these vulnerabilities include:
- Exposing government or organizations servers, by accessing sensitive data;
- Compromising hospitals, by connecting to medical devices to obtain healthcare data, taking them offline, and preventing healthcare delivery;
- Impacting manufacturing, by obtaining access to factory/plant networks to tamper with production lines;
- Shutting down retailers, by switching off lights connected to their building automation controllers.
What’s more, threat actors could also tap into the critical building functions of residential and commercial spaces, including major hotel chains, to endanger the safety of residents. This could include:
- Tampering with heating, ventilation, and air conditioning systems;
- Disabling critical security systems, such as alarms and door locks;
- Shutting down automated lighting systems.
Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or [compromise of] hotel guest safety and security.
Patches are now available for FreeBSD, Nucleus NET, and NetX.