Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

NAME:WRECK: Nine DNS Vulnerabilities Found in Four Open Source TCP/IP Stacks

NAME:WRECK: Nine DNS Vulnerabilities Found in Four Open Source TCP/IP Stacks

Nine new DNS-related vulnerabilities have been identified across TCP/IP stacks embedded in millions of devices.

Background

On April 13, 2021, researchers at Forescout and JSOF published a report called NAME:WRECK. The report details the discovery of nine Domain Name System (DNS) vulnerabilities across four widely used open-source TCP/IP stacks. Conservative estimates suggest that the flaws are present in over 100 million devices. NAME:WRECK is the third TCP/IP report to stem from research conducted through PROJECT:MEMORIA; the prior reports include NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details a staggering 33 vulnerabilities across four TCP/IP stacks. This research also highlights the risks involved with using open-source TCP/IP stacks in operational technology (OT), internet of things (IoT) and IT, which can affect millions of devices.

Analysis

The potential impact of these vulnerabilities includes DNS Cache Poisoning, Denial of Service (DoS) and Remote Code Execution (RCE). The nine vulnerabilities are identified in the following table:

CVE Stack Affected Feature Potential Impact CVSSv3
CVE-2016-20009 IPNet Message compression Remote Code Execution 9.8
CVE-2020-15795 Nucleus NET Domain name label parsing Remote Code Execution 8.1
CVE-2020-27009 Nucleus NET Message compression Remote Code Execution 8.1
CVE-2020-7461 FreeBSD Message Compression Remote Code Execution 7.7
CVE-2020-27736 Nucleus NET Domain name label parsing Denial of Service 6.5
CVE-2020-27737 Nucleus NET Domain name label parsing Denial of Service 6.5
CVE-2020-27738 Nucleus NET Message Compression Denial of Service 6.5
Not Assigned NetX Message Compression Denial of Service 6.5
CVE-2021-25677 Nucleus NET Transaction ID DNS Cache Poisoning 5.3

Root cause analysis

The vulnerabilities stem from implementation problems within the various TCP/IP stacks due to the complexities and misinterpretation of Request for Comments (RFC) standards. For example, the standard RFC 1035, also known as “Domain Names – Implementation and Specification,” specifies the reduction of DNS message sizes, including DNS resolvers and multicast DNS (mDNS), through a compression mechanism. To address these in the future, Forescout researchers created a draft of an informational RFC to help developers avoid making the same mistakes in DNS implementations moving forward and highlighting the identified anti-patterns from their research.

The gift that keeps on giving

In the initial research surrounding these TCP/IP stacks, most of the focus was on the implementation of the DNS message compression. Four of the Nucleus NET TCP/IP vulnerabilities in the table above (CVE-2020-15795, CVE-2020-27736, CVE2020-27737 and CVE-2021-25677) were discovered as a byproduct of the initial research. The NAME:WRECK report highlights how chaining together these four unrelated flaws with CVE-2020-27009 or CVE-2020-27738 could increase their impact and achieve RCE.

Three of the most critical DNS vulnerabilities in NAME:WRECK

CVE-2016-20009 is a stack-based buffer overflow vulnerability in the message compression function of the IPnet stack which could potentially lead to RCE. This is the most critical of the nine vulnerabilities, with a CVSSv3 score of 9.8, and, as the CVE naming structure would suggest, also the oldest. CVE-2016-20009 is actually a bug collision, as it was originally reported in 2016 by Exodus Intelligence but never assigned a CVE. Forescout and JSOF asked the original finders of the vulnerability to request a CVE ID in January 2021, agreeing it should be assigned an end-of-life CVE ID.

CVE-2020-15795 is a vulnerability in the DNS domain name labeling functionality of the Nucleus NET TCP/IP stack that improperly validates the names in the DNS responses. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.

CVE-2020-27009 is a vulnerability in the DNS domain name record decompression function of the Nucleus NET TCP/IP stack that occurs as an improper validation of the offset values in a pointer. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.

Millions of devices potentially affected

The report highlighted a number of statistics for the affected TCP/IP stacks, but the most alarming statistics were associated with FreeBSD. A Shodan search result provided in the report showed that over one million FreeBSD devices were internet-facing. While this does not indicate all these devices are vulnerable, it does highlight the potential attack surface.

Source: Forescout NAME:WRECK Report

Drilling down into industry-specific figures, the report examines a dataset of 13 million proprietary devices. The numbers in the chart below are representative of over 235,000 FreeBSD devices running the affected stack/operating systems. One of the most concerning figures in this chart is the number of affected devices found within the healthcare sector. As we’ve reported previously, healthcare is one of the most targeted sectors, particularly by ransomware groups.

Source: Forescout NAME:WRECK Report

Exploitation scenario: Let’s get creative

The NAME:WRECK report demonstrates one possible scenario that was tested to gain a foothold on a target network using the Nucleus TCP/IP stack as an example. According to the report, the steps involved were as follows:

  1. Initial access to an organization's network is obtained by exploiting one of the Nucleus Net RCE vulnerabilities and compromising a device issuing DNS requests to a server on the internet. This highlights the key caveat with exploiting DNS-based vulnerabilities: an attacker needs to reply to a legitimate DNS request with their malicious packet. There are a few ways this can be achieved including man-in-the-middle (MitM) attacks targeting the queried DNS servers themselves using known vulnerabilities such as DNSpooq, a list of vulnerabilities disclosed in dnsmasq by JSOF earlier this year.
  2. Once the attacker has gained initial access, they could move laterally by setting up a Dynamic Host Configuration Protocol (DHCP) server and leveraging this to target FreeBSD servers broadcasting DHCP in order to execute malicious code on them.
  3. The final step involves using these compromised servers to maintain persistence on the network and/or exfiltrate data via the internet-connected device that was used to gain the initial foothold.

Source: Forescout NAME:WRECK Report

Proof of concept

At the time this blog post was published, there was one proof-of-concept (PoC) available for CVE-2020-7461, the message compression vulnerability in FreeBSD. This particular PoC will only result in a DoS condition.

Solution

Each of the maintainers/vendors of the vulnerable TCP/IP stacks identified in the report were notified of these flaws. FreeBSD, Nucleus NET and NetX stacks have been patched recently. The following table contains the list of the stacks, their vulnerable versions and fixed versions (if available).

Affected TCP/IP Stack Fixed Versions
FreeBSD 12.1 Revision 365010
Nucleus NET 5.2
Nucleus NET 4.1.0
NetX 6.1
IPNet Not Available

While these vulnerabilities may be addressed by their relevant vendors, there are millions of devices worldwide implementing these stacks spanning hundreds of manufacturers. Action is required by these manufacturers to ensure that fixes are deployed for their vulnerable devices.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Please note that at the time this blog post was published, the NetX vulnerability did not have a CVE assigned to it yet. We will update this blog post once a CVE is assigned.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.