Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.

Collectively referred to as NAME: WRECK, the flaws could be leveraged to take offline affected devices or to gain control over them.

The vulnerabilities were found in widespread TCP/IP stacks that run on a wide range of products, from high-performance servers and networking equipment to operational technology (OT) systems that monitor and control industrial equipment.

Issues in four TCP/IP stacks

The discovery of NAME:WRECK is a joint effort from Enterprise of Things security company Forescout and  Israel-based security research group JSOF and affects the DNS implementations in the following TCP/IP stacks:

  • FreeBSD (vulnerable version: 12.1) – one of the most popular operating system in the BSD family
  • IPnet (vulnerable version: VxWorks 6.6) – initially developed by Interpeak, it is now under WindRiver maintenance and used by VxWorks real-time operating system (RTOS)
  • NetX (vulnerable version: 6.0.1) – part of the ThreadX RTOS, it is now an open-source project maintained by Microsoft under the name Azure RTOS NetX
  • Nucleus NET (vulnerable version: 4.3) – part of the Nucleus RTOS maintained by Mentor Graphics, a Siemens business, it is used in medical, industrial, consumer, aerospace, and Internet of Things devices

According to Forescout, in hypothetical but plausible scenarios, threat actors could exploit NAME:WRECK vulnerabilities to deal significant damage to government or enterprise servers, healthcare facilities, retailers, or companies in the manufacturing business by stealing sensitive data, modifying or taking equipment offline for sabotage purposes.

Attackers could also tamper with critical building functions in residential or commercial locations to control heating and ventilation, disable security systems or tamper with automated lighting systems

The NAME:WRECK vulnerabilities

The researchers analyzing the DNS implementations in the above-mentioned TCP/IP stacks looked at the message compression feature of the protocol.

It is not uncommon for DNS response packets to include the same domain name or a part of it more than once, so a compression mechanism exists to reduce the size of DNS messages.

Not just DNS resolvers benefit from this encoding as it is present in multicast DNS (mDNS), DHCP clients, and IPv6 router advertisements.

Forescout explains in a report today that the feature is also present in many implementations, although some protocols do not officially support compression. This occurs “because of code reuse or a specific understanding of the specifications.”

The researchers note that implementing the compression mechanism has been a tall order, as highlighted by more than a dozen vulnerabilities discovered since the year 2000.

It must be noted that not all NAME:WRECK can be exploited to achieve the same results. The potential impact for the most severe of them is remote code execution, with the highest severity score being calculated to 9.8 out of 10.

Below is a rundown of all nine vulnerabilities, their identification numbers, and their severity score.

CVE IDStackDescriptionAffected featurePotential ImpactSeverity Score
CVE-2020-7461FreeBSD

-boundary error when parsing
option 119 data in DHCP packets in dhclient(8)

– attacker on the network can send crafted data to DHCP client

Message
compression
RCE7.7
CVE-2016-20009IPnet– stack-based overflow on the message decompression  functionMessage
compression
RCE9.8
CVE-2020-15795Nucleus NET

– DNS domain name label parsing functionality does not
properly validate the names in DNS responses

– parsing malformed responses could result in a write past the end of an allocated structure

Domain name
label parsing
RCE8.1
CVE-2020-27009Nucleus NET

– DNS domain name record decompression functionality
does not properly validate the pointer offset values

– parsing malformed responses could result in a write past the end of an allocated structure

Message
compression
RCE8.1
CVE-2020-27736Nucleus NET

– DNS domain name label parsing functionality does not
properly validate the name in DNS responses

– parsing malformed responses could result in a write past the end of an allocated structure

Domain
name label
parsing
DoS6.5
CVE-2020-27737Nucleus NET

– DNS response parsing functionality does not properly
validate various length and counts of the records

– parsing malformed responses could result in a read past the end of an allocated structure

Domain name
label parsing
DoS6.5
CVE-2020-27738Nucleus NET

– DNS domain name record decompression functionality
does not properly validate the pointer offset values

– parsing malformed responses could result in a read access past the end of an allocated structure

Message
compression
DoS6.5
CVE-2021-25677Nucleus NET– DNS client does not properly randomize DNS transaction ID (TXID) and UDP port numbersTransaction IDDNS cache poisoning/spoofing5.3
*NetX– two functions in the DNS resolver fo not check that the compression pointer does
not equal the same offset currently being parsed, potentially leading to infinite loop
Message
compression
DoS6.5

As seen in the table above, not all vulnerabilities relate to message compression. These exceptions are a byproduct of the research and can be chained with the others to amplify the effects of the attack.

Another exception is CVE-2016-20009. Originally discovered by Exodus Intelligence in 2016, the bug did not receive a tracking number. Although the product is no longer maintained (end-of-life), it is still in use today.

Forescout asked Wind River to file for a CVE but the company did not take any action for months. As such, the company asked Exodus Intelligence for the same thing and the flaw received an identifier in January 2021.

An attacker exploiting a single bug may not achieve much but they can potentially wreak havoc by combining them.

For instance, they can exploit one flaw to be able to write arbitrary data into sensitive memory locations of a vulnerable device, another to inject code in a packet, and a third one to deliver it to the target.

The report from Forescout dives deep into technical details about how exploitation may lead to a successful remote code execution attack by leveraging several of the NAME:WRECK vulnerabilities as well as bugs from the AMNESIA:33 collection, that the company discovered in open source TCP/IP stacks.

The company also discusses multiple implementation issues that keep repeating in DNS message parsers, referred to as anti-patterns, which are the cause of the NAME:WRECK vulnerabilities:

– Lack of TXID validation, insufficiently random TXID and source UDP port

– Lack of domain name character validation

– Lack of label and name lengths validation

– Lack of NULL-termination validation

– Lack of the record count fields validation

– Lack of domain name compression pointer and offset validation

Patches for NAME:WRECK are available for FreeBSD, Nucleus NET, and NetX, and eliminating the issues is possible if the fixes trickle down to the affected products.

As such, it is now up to the device vendors to apply the corrections to the products that can still be updated. This process, however, is unlikely to have a 100% success rate, though, as several obstacles are in the way.

First of all, operators need to determine the TCP/IP stack running on affected devices. This is not always an easy task because sometimes even the device vendor does not know.

Another hurdle is applying the patch, which, in many cases, needs to be installed manually because there is no centralized management. Add to this a critical device that cannot be taken offline for the update procedure and it becomes clear why a 100% patching rate is virtually impossible.

“Even worse, we found that new firmware sometimes runs unsupported versions of an RTOS that may have known vulnerabilities [e.g. CVE-2016-20009]. This is extremely concerning since assuming that a new firmware is not vulnerable might lead to serious blind spots in network risk assessment” – Forescout

However, there is mitigation information that security engineers can use to develop signatures that detect DNS vulnerabilities:

– Discover and inventory devices running the vulnerable stacks

– Enforce segmentation controls and proper network hygiene

– Monitor progressive patches released by affected device vendors

– Configure devices to rely on internal DNS servers

– Monitor all network traffic for malicious packets

Furthermore, Forescout makes available two open-source tools that can help determine if a target network device runs a specific embedded TCP/IP stack (Project Memoria Detector) and for detecting issues similar to NAME:WRECK (works with Joern).