More than 100 million connected internet of things (IoT) devices, as many as 36,000 of them physically located in the UK, are thought to be at risk from nine newly disclosed DNS vulnerabilities, discovered by Forescout Research Labs and JSOF, and collectively dubbed NAME:WRECK.
The NAME:WRECK bugs affect four well-used TCP/IP stacks, FreeBSD, IPnet, Nucleus NET and NetX, which are present in well-known IT software and IoT/OT firmware.
FreeBSD, for example, runs on high-performance servers on millions of networks and is used on other well-known open source projects such as firewalls and some commercial network appliances. Nucleus NET has over three billion known installations in medical devices, avionics systems and building automation. NetX, meanwhile, runs in medical devices, systems-on-a-chip and several types of printer, as well as energy and power equipment in industrial control systems (ICS).
As a result of this, the vulnerabilities impact organisations in multiple sectors, from government to healthcare, manufacturing and retail, and if successfully exploited by malicious actors in a denial of service (DoS) or remote code execution (RCE) attack, could be used to disrupt or take control of victim networks.
“NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large-scale disruption,” said Daniel dos Santos, research manager at Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up-to-date patches for any devices running across these affected IP stacks.
“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.”
Although FreeBSD, Nucleus NET and NetX have all been patched recently, as with many other vulnerabilities affecting deployed IoT devices, NAME:WRECK will inevitably be hard to patch in some instances because nowadays, IoT technology is often deeply embedded in organisational systems, can be hard to manage, and often essentially impossible to patch.
In the light of this, Forescout and JSOF are recommending a series of mitigations:
- Users should try to discover and inventory devices running the vulnerable stacks – Forescout has pushed out an open source script that uses active fingerprinting to do this, which is being updated as new developments occur.
- Users should enforce segmentation controls and increase network hygiene, restricting external communication paths and isolating vulnerable devices if they cannot be patched.
- Users should monitor for patches being dropped by affected device suppliers and devise a remediation plan for affected inventory.
- Users should configure affected devices to run on internal DNS servers, and monitor external DNS traffic (successful exploitation would need a malicious DNS server to reply with malicious packets).
- Users should monitor all their network traffic for malicious packets trying to exploit known vulnerabilities or zero-days affecting DNS, mDNS and DHCP clients.
NAME:WRECK is the second major set of TCP/IP vulnerabilities uncovered by Forescout’s team in the past year as part of a research programme called Project Memoria.
In December 2020, the firm issued a warning over 33 different flaws, referred to as Amnesia33, affecting devices made by over 150 different tech manufacturers. Such was the scale of the Amnesia33 disclosure that it prompted an emergency alert from the US Cyber Security and Infrastructure Security Agency.
Read more about IoT security
- Organisations can upgrade their devices to include TPMs that serve as passive security on the host system, simplify device maintenance and enhance overall security.
- IoT, while influential and beneficial, introduces several enterprise security issues. Key risks of IoT include network vulnerabilities and outdated software and firmware.
- Cyber attacks on IoT and CMS have grown throughout 2020 and organisations must step up their network security measures with tactics such as zero trust.