100M devices susceptible to NAME:WRECK DNS vulnerabilities, researchers say

Dive Brief:

Researchers found at least nine domain name system (DNS) vulnerabilities, collectively referred to as NAME:WRECK, impacting four TCP/IP stacks, according to data from Forescout, JSOF and Armis. TCP/IP, which stands for Transmission Control Protocol/ Internet Protocol, is a communication protocol for internet-connected network devices. NAME:WRECK was disclosed by Forescout in partnership with JSOF.
Researchers compiled data on the vulnerabilities over the last few years, expecting NAME:WRECK to impact at least 100 million IoT and OT devices. It's an "extremely conservative estimate, assuming that 1% of the more than 10 billion deployments" of Nucleus NET, FreeBSD and NetX are vulnerable, researchers said.
Forescout researchers also found NUMBER:JACK and Amnesia:33. NUMBER:JACK is considered less critical than Amnesia:33, which consists of 33 vulnerabilities impacting four open source TCP/IP stacks, including uIP, FNET, picoTCP and Nut/Net. Forescout estimates more than 1 million IoT, OT and IT devices could be impacted.

Dive Insight:

DNS has external accessibility and widens the attack surface. Each vulnerability could lead to a denial of service attack, or an attacker could take control of a susceptible device through remote code execution.

The vulnerable Nucleus NET, FreeBSD and NetX stacks likely impact the government and healthcare sectors the most, while infiltrating other stacks in legacy systems for years.

The URGENT/11 exploit, discovered by Armis, impacted 97% of unpatched OT devices over the course of 18 months, ending in December 2020. URGENT/11 affects enterprise and medical devices, OT, industrial control systems (ICS) and programmable logic controllers (PLC).

Ripple20, discovered by JSOF, is a series of 19 zero-day vulnerabilities across low-level-TCP/IP stacks. "The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor," JSOF's report said. Potentially vulnerable companies include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar and Baxter, but the list is not limited to Fortune 500 companies.

While patching is the obvious solution to protecting vulnerable devices, researchers warn patching could become an impossible task for some companies. If firmware is outdated, the company using it does not have the option to update.

Microsoft estimates 80% of enterprises experienced a firmware-level attack in the last two years, partially due to the difficulty in catching them. Attackers are drawn to a device's memory or kernel.

While Nucleus NET, FreeBSD and NetX softwares have available updates, companies are waiting on device vendors to embed them within the operating system, said Lee Neely, senior cyber analyst at Lawrence Livermore National Laboratory, and a SANS analyst in the SANS Institute newsletter Tuesday.

If patching is unavailable, JSOF recommends minimizing internet exposure of embedded and critical devices and air gapping OT networks and devices with firewalls.

"A better fix is likely an architecture that forces all internal devices to use an internal recursive resolver," said Johannes Ullrich, dean of research at the SANS Technology Institute, in the SANS newsletter. "While it may not mitigate all the vulnerabilities, it will at least provide visibility into DNS traffic which is crucial for devices that are often only offering limited logging."

Forescout supplied companies an open-source script to detect vulnerable stacks. When companies lack solutions or the ability to identify the level of risk, they depend on security advisories sent by vendors, according to researchers.