Forescout Research Labs, in partnership with JSOF, disclosed a new set of DNS vulnerabilities, dubbed NAME:WRECK.
These vulnerabilities affect four popular TCP/IP stacks – namely FreeBSD, IPnet, Nucleus NET and NetX – which are commonly present in well-known IT software and popular IoT/OT firmware and have the potential to impact millions of IoT devices around the world.
FreeBSD is used for high-performance servers in millions of IT networks, including major web destinations such as Netflix and Yahoo. Meanwhile, IoT/OT firmware such as Siemens’ Nucleus NET has been used for decades in critical OT and IoT devices.
The NAME:WRECK vulnerabilities potentially impact organisations across all sectors, including government, enterprise, healthcare, manufacturing and retail.
More than 180,000 devices in the U.S. and more than 36,000 devices in the UK are believed to be affected. If exploited, bad actors can use them to take target devices offline or assume control of their operations.
“NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large scale disruption,” explains Daniel dos Santos, Research Manager, Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up to date patches for any devices running across these affected IP Stacks.”
In this scenario, the attacker obtains Initial Access into an organization’s network (step 1 in the figure) by compromising a device issuing DNS requests to a server on the internet. To obtain initial access, the attacker can exploit one of the RCEs affecting Nucleus NET. The compromise can happen, for instance, by weaponizing the exploitation.
Attack scenario leveraging NAME:WRECK vulnerabilities on internal and external targets
The caveat about DNS-based vulnerabilities is that they require the attacker to reply to a legitimate DNS request with a malicious packet. That can be achieved via a man-in-the-middle somewhere in the path between the request and the reply or by exploiting the queried DNS servers. Servers or forwarders vulnerable to DNSpooq and similar vulnerabilities on the way between the target device and a more authoritative DNS server, for instance, could be exploited to reply with malicious messages carrying a weaponized payload.
After the initial access, the attacker can use the compromised entry point to set up an internal DHCP server and do a Lateral Movement (step 2) by executing malicious code on vulnerable internal FreeBSD servers broadcasting DHCP requests.
Finally, the attacker can use those internal compromised servers to Persist on the target network or to Exfiltrate data (step 3) via the internet-exposed IoT device.
What bad actors could do
Some hypothetical but entirely plausible scenarios of what bad actors could do include:
- Exposing government or enterprise servers, by accessing sensitive data, such as financial records, intellectual property or employee/customer information
- Compromising hospitals, by connecting to medical devices to obtain healthcare data, taking them offline and preventing healthcare delivery
- Impacting manufacturing, by obtaining access to factory/plant networks to tamper with production lines
- Shutting down retailers, by switching off lights connected to their building automation controllers
Bad actors could also tap into the critical building functions of residential and commercial spaces, including major hotel chains, to endanger the safety of residents. This could include:
- Tampering with heating, ventilation and air conditioning systems
- Disabling critical security systems, such as alarms and door locks
- Shutting down automated lighting systems
“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just be a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security,” warns dos Santos.