NAME:WRECK: Nine DNS Vulnerabilities Found in Four Open Source TCP/IP Stacks
Nine new DNS-related vulnerabilities have been identified across TCP/IP stacks embedded in millions of devices.
Background
On April 13, 2021, researchers at Forescout and JSOF published a report called NAME:WRECK. The report details the discovery of nine Domain Name System (DNS) vulnerabilities across four widely used open-source TCP/IP stacks. Conservative estimates suggest that the flaws are present in over 100 million devices. NAME:WRECK is the third TCP/IP report to stem from research conducted through PROJECT:MEMORIA; the prior reports include NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details a staggering 33 vulnerabilities across four TCP/IP stacks. This research also highlights the risks involved with using open-source TCP/IP stacks in operational technology (OT), internet of things (IoT) and IT, which can affect millions of devices.
Analysis
The potential impact of these vulnerabilities includes DNS Cache Poisoning, Denial of Service (DoS) and Remote Code Execution (RCE). The nine vulnerabilities are identified in the following table:
CVE | Stack | Affected Feature | Potential Impact | CVSSv3 |
---|---|---|---|---|
CVE-2016-20009 | IPNet | Message compression | Remote Code Execution | 9.8 |
CVE-2020-15795 | Nucleus NET | Domain name label parsing | Remote Code Execution | 8.1 |
CVE-2020-27009 | Nucleus NET | Message compression | Remote Code Execution | 8.1 |
CVE-2020-7461 | FreeBSD | Message Compression | Remote Code Execution | 7.7 |
CVE-2020-27736 | Nucleus NET | Domain name label parsing | Denial of Service | 6.5 |
CVE-2020-27737 | Nucleus NET | Domain name label parsing | Denial of Service | 6.5 |
CVE-2020-27738 | Nucleus NET | Message Compression | Denial of Service | 6.5 |
Not Assigned | NetX | Message Compression | Denial of Service | 6.5 |
CVE-2021-25677 | Nucleus NET | Transaction ID | DNS Cache Poisoning | 5.3 |
Root cause analysis
The vulnerabilities stem from implementation problems within the various TCP/IP stacks due to the complexities and misinterpretation of Request for Comments (RFC) standards. For example, the standard RFC 1035, also known as “Domain Names – Implementation and Specification,” specifies the reduction of DNS message sizes, including DNS resolvers and multicast DNS (mDNS), through a compression mechanism. To address these in the future, Forescout researchers created a draft of an informational RFC to help developers avoid making the same mistakes in DNS implementations moving forward and highlighting the identified anti-patterns from their research.
The gift that keeps on giving
In the initial research surrounding these TCP/IP stacks, most of the focus was on the implementation of the DNS message compression. Four of the Nucleus NET TCP/IP vulnerabilities in the table above (CVE-2020-15795, CVE-2020-27736, CVE2020-27737 and CVE-2021-25677) were discovered as a byproduct of the initial research. The NAME:WRECK report highlights how chaining together these four unrelated flaws with CVE-2020-27009 or CVE-2020-27738 could increase their impact and achieve RCE.
Three of the most critical DNS vulnerabilities in NAME:WRECK
CVE-2016-20009 is a stack-based buffer overflow vulnerability in the message compression function of the IPnet stack which could potentially lead to RCE. This is the most critical of the nine vulnerabilities, with a CVSSv3 score of 9.8, and, as the CVE naming structure would suggest, also the oldest. CVE-2016-20009 is actually a bug collision, as it was originally reported in 2016 by Exodus Intelligence but never assigned a CVE. Forescout and JSOF asked the original finders of the vulnerability to request a CVE ID in January 2021, agreeing it should be assigned an end-of-life CVE ID.
CVE-2020-15795 is a vulnerability in the DNS domain name labeling functionality of the Nucleus NET TCP/IP stack that improperly validates the names in the DNS responses. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.
CVE-2020-27009 is a vulnerability in the DNS domain name record decompression function of the Nucleus NET TCP/IP stack that occurs as an improper validation of the offset values in a pointer. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.
Millions of devices potentially affected
The report highlighted a number of statistics for the affected TCP/IP stacks, but the most alarming statistics were associated with FreeBSD. A Shodan search result provided in the report showed that over one million FreeBSD devices were internet-facing. While this does not indicate all these devices are vulnerable, it does highlight the potential attack surface.
Source: Forescout NAME:WRECK Report
Drilling down into industry-specific figures, the report examines a dataset of 13 million proprietary devices. The numbers in the chart below are representative of over 235,000 FreeBSD devices running the affected stack/operating systems. One of the most concerning figures in this chart is the number of affected devices found within the healthcare sector. As we’ve reported previously, healthcare is one of the most targeted sectors, particularly by ransomware groups.
Source: Forescout NAME:WRECK Report
Exploitation scenario: Let’s get creative
The NAME:WRECK report demonstrates one possible scenario that was tested to gain a foothold on a target network using the Nucleus TCP/IP stack as an example. According to the report, the steps involved were as follows:
- Initial access to an organization’s network is obtained by exploiting one of the Nucleus Net RCE vulnerabilities and compromising a device issuing DNS requests to a server on the internet. This highlights the key caveat with exploiting DNS-based vulnerabilities: an attacker needs to reply to a legitimate DNS request with their malicious packet. There are a few ways this can be achieved including man-in-the-middle (MitM) attacks targeting the queried DNS servers themselves using known vulnerabilities such as DNSpooq, a list of vulnerabilities disclosed in dnsmasq by JSOF earlier this year.
- Once the attacker has gained initial access, they could move laterally by setting up a Dynamic Host Configuration Protocol (DHCP) server and leveraging this to target FreeBSD servers broadcasting DHCP in order to execute malicious code on them.
- The final step involves using these compromised servers to maintain persistence on the network and/or exfiltrate data via the internet-connected device that was used to gain the initial foothold.
Source: Forescout NAME:WRECK Report
Proof of concept
At the time this blog post was published, there was one proof-of-concept (PoC) available for CVE-2020-7461, the message compression vulnerability in FreeBSD. This particular PoC will only result in a DoS condition.
Solution
Each of the maintainers/vendors of the vulnerable TCP/IP stacks identified in the report were notified of these flaws. FreeBSD, Nucleus NET and NetX stacks have been patched recently. The following table contains the list of the stacks, their vulnerable versions and fixed versions (if available).
Affected TCP/IP Stack | Fixed Versions |
---|---|
FreeBSD | 12.1 Revision 365010 |
Nucleus NET | 5.2 |
Nucleus NET | 4.1.0 |
NetX | 6.1 |
IPNet | Not Available |
While these vulnerabilities may be addressed by their relevant vendors, there are millions of devices worldwide implementing these stacks spanning hundreds of manufacturers. Action is required by these manufacturers to ensure that fixes are deployed for their vulnerable devices.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Please note that at the time this blog post was published, the NetX vulnerability did not have a CVE assigned to it yet. We will update this blog post once a CVE is assigned.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.