Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

NAME:WRECK: Nine DNS Vulnerabilities Found in Four Open Source TCP/IP Stacks

Nine new DNS-related vulnerabilities have been identified across TCP/IP stacks embedded in millions of devices.

Update May 19, 2021: The Identifying Affected Systems section has been updated to reflect the availability of service detection plugins for three of the four open source TCP/IP stacks referenced in this blog post.

Background

On April 13, 2021, researchers at Forescout and JSOF published a report called NAME:WRECK. The report details the discovery of nine Domain Name System (DNS) vulnerabilities across four widely used open-source TCP/IP stacks. Conservative estimates suggest that the flaws are present in over 100 million devices. NAME:WRECK is the third TCP/IP report to stem from research conducted through PROJECT:MEMORIA; the prior reports include NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details a staggering 33 vulnerabilities across four TCP/IP stacks. This research also highlights the risks involved with using open-source TCP/IP stacks in operational technology (OT), internet of things (IoT) and IT, which can affect millions of devices.

Analysis

The potential impact of these vulnerabilities includes DNS Cache Poisoning, Denial of Service (DoS) and Remote Code Execution (RCE). The nine vulnerabilities are identified in the following table:

CVE Stack Affected Feature Potential Impact CVSSv3
CVE-2016-20009 IPNet Message compression Remote Code Execution 9.8
CVE-2020-15795 Nucleus NET Domain name label parsing Remote Code Execution 8.1
CVE-2020-27009 Nucleus NET Message compression Remote Code Execution 8.1
CVE-2020-7461 FreeBSD Message Compression Remote Code Execution 7.7
CVE-2020-27736 Nucleus NET Domain name label parsing Denial of Service 6.5
CVE-2020-27737 Nucleus NET Domain name label parsing Denial of Service 6.5
CVE-2020-27738 Nucleus NET Message Compression Denial of Service 6.5
Not Assigned NetX Message Compression Denial of Service 6.5
CVE-2021-25677 Nucleus NET Transaction ID DNS Cache Poisoning 5.3

Root cause analysis

The vulnerabilities stem from implementation problems within the various TCP/IP stacks due to the complexities and misinterpretation of Request for Comments (RFC) standards. For example, the standard RFC 1035, also known as “Domain Names – Implementation and Specification,” specifies the reduction of DNS message sizes, including DNS resolvers and multicast DNS (mDNS), through a compression mechanism. To address these in the future, Forescout researchers created a draft of an informational RFC to help developers avoid making the same mistakes in DNS implementations moving forward and highlighting the identified anti-patterns from their research.

The gift that keeps on giving

In the initial research surrounding these TCP/IP stacks, most of the focus was on the implementation of the DNS message compression. Four of the Nucleus NET TCP/IP vulnerabilities in the table above (CVE-2020-15795, CVE-2020-27736, CVE2020-27737 and CVE-2021-25677) were discovered as a byproduct of the initial research. The NAME:WRECK report highlights how chaining together these four unrelated flaws with CVE-2020-27009 or CVE-2020-27738 could increase their impact and achieve RCE.

Three of the most critical DNS vulnerabilities in NAME:WRECK

CVE-2016-20009 is a stack-based buffer overflow vulnerability in the message compression function of the IPnet stack which could potentially lead to RCE. This is the most critical of the nine vulnerabilities, with a CVSSv3 score of 9.8, and, as the CVE naming structure would suggest, also the oldest. CVE-2016-20009 is actually a bug collision, as it was originally reported in 2016 by Exodus Intelligence but never assigned a CVE. Forescout and JSOF asked the original finders of the vulnerability to request a CVE ID in January 2021, agreeing it should be assigned an end-of-life CVE ID.

CVE-2020-15795 is a vulnerability in the DNS domain name labeling functionality of the Nucleus NET TCP/IP stack that improperly validates the names in the DNS responses. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.

CVE-2020-27009 is a vulnerability in the DNS domain name record decompression function of the Nucleus NET TCP/IP stack that occurs as an improper validation of the offset values in a pointer. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.

Millions of devices potentially affected

The report highlighted a number of statistics for the affected TCP/IP stacks, but the most alarming statistics were associated with FreeBSD. A Shodan search result provided in the report showed that over one million FreeBSD devices were internet-facing. While this does not indicate all these devices are vulnerable, it does highlight the potential attack surface.

Source: Forescout NAME:WRECK Report

Drilling down into industry-specific figures, the report examines a dataset of 13 million proprietary devices. The numbers in the chart below are representative of over 235,000 FreeBSD devices running the affected stack/operating systems. One of the most concerning figures in this chart is the number of affected devices found within the healthcare sector. As we’ve reported previously, healthcare is one of the most targeted sectors, particularly by ransomware groups.

Source: Forescout NAME:WRECK Report

Exploitation scenario: Let’s get creative

The NAME:WRECK report demonstrates one possible scenario that was tested to gain a foothold on a target network using the Nucleus TCP/IP stack as an example. According to the report, the steps involved were as follows:

  1. Initial access to an organization's network is obtained by exploiting one of the Nucleus Net RCE vulnerabilities and compromising a device issuing DNS requests to a server on the internet. This highlights the key caveat with exploiting DNS-based vulnerabilities: an attacker needs to reply to a legitimate DNS request with their malicious packet. There are a few ways this can be achieved including man-in-the-middle (MitM) attacks targeting the queried DNS servers themselves using known vulnerabilities such as DNSpooq, a list of vulnerabilities disclosed in dnsmasq by JSOF earlier this year.
  2. Once the attacker has gained initial access, they could move laterally by setting up a Dynamic Host Configuration Protocol (DHCP) server and leveraging this to target FreeBSD servers broadcasting DHCP in order to execute malicious code on them.
  3. The final step involves using these compromised servers to maintain persistence on the network and/or exfiltrate data via the internet-connected device that was used to gain the initial foothold.

Source: Forescout NAME:WRECK Report

Proof of concept

At the time this blog post was published, there was one proof-of-concept (PoC) available for CVE-2020-7461, the message compression vulnerability in FreeBSD. This particular PoC will only result in a DoS condition.

Solution

Each of the maintainers/vendors of the vulnerable TCP/IP stacks identified in the report were notified of these flaws. FreeBSD, Nucleus NET and NetX stacks have been patched recently. The following table contains the list of the stacks, their vulnerable versions and fixed versions (if available).

Affected TCP/IP Stack Fixed Versions
FreeBSD 12.1 Revision 365010
Nucleus NET 5.2
Nucleus NET 4.1.0
NetX 6.1
IPNet Not Available

While these vulnerabilities may be addressed by their relevant vendors, there are millions of devices worldwide implementing these stacks spanning hundreds of manufacturers. Action is required by these manufacturers to ensure that fixes are deployed for their vulnerable devices.

Identifying affected systems

Detection plugins for some of the TCP/IP stacks analyzed in the NAME:WRECK report are available for Tenable customers. These detection plugins can be used to identify assets using these stacks within your network.

Detection Plugin Plugin ID Detection Type
NetX TCP/IP Stack 149508 HTTP Detection
FreeBSD TCP/IP Stack 149509 HTTP Detection
Nucleus Net TCP/IP Stack 149645 FTP Detection

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Please note that at the time this blog post was published, the NetX vulnerability did not have a CVE assigned to it yet. We will update this blog post once a CVE is assigned.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training