Forescout Research Labs and JSOF discover nine new vulnerabilities affecting four popular TCP/IP stacks used in millions of IoT, OT and IT devices.
estimated devices affected
Forescout Research Labs, partnering with JSOF Research, disclosed NAME:WRECK, a set of Domain Name System (DNS) vulnerabilities that have the potential to cause either Denial of Service (DoS) or Remote Code Execution, allowing attackers to take targeted devices offline or to gain control over them. The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface.
THE IMPACT OF NAME:WRECK
NAME:WRECK vulnerabilities impact FreeBSD software used in high-performance servers in millions of IT networks, and popular firmware, such as Nucleus NET used in critical IoT/OT devices, as well as NetX and IPnet.
DIVE INTO THE RESEARCH
Explore underlying problems related to Domain Name System protocol complexity. This report discloses nine vulnerabilities affecting four popular TCP/IP stacks and proposes solutions for network operators (enterprise customers) and IoT/OT software developers. Learn which devices are vulnerable and get advice for fixing a problem that many researchers believe is more widespread than currently known.
LEARN HOW FORESCOUT CAN HELP
What risk does NAME:WRECK pose to your organization and what actions can you take? Forescout recently released an open-source script to discover devices running the vulnerable TCP/IP stacks. Our FAQ includes insights on patching and remediation, segmentation enforcement, configuring devices to rely on internal DNS servers and monitoring network traffic for malicious packets.
Learn how to protect your Enterprise IT, IoT, and OT devices against NAME:WRECK vulnerabilities.
HOW FORESCOUT HELPS THE CYBERSECURITY COMMUNITY
As part of the NAME:WRECK disclosure, Forescout Research Labs shares with the cybersecurity community the following artifacts:
- A technical report, in which we discuss six DNS anti-patterns (implementation problems common in different TCP/IP stacks) and provide researchers and developers around the world with tools and knowledge enabling them to tackle the issue in other stacks
- An updated open-source script to identify possible vulnerable devices on a network
- A library of open-source Joern queries to be used by researchers and software developers to (partially) automate the finding of DNS-related vulnerabilities
- Samples of malicious traffic captures (available upon request) to be used by researchers and security analysists to test their intrusion detection systems
- A draft of an informational RFC discussing the identified anti-patterns to guide developers in avoiding making the same mistakes while writing future DNS implementations
In this blog, security researchers from Forescout Research Labs and JSOF break down the findings from their technical report and discuss tools they are sharing with other researchers, developers, vendors and enterprise customers, as well as the following risk mitigation recommendations:
- Identify devices running the vulnerable stacks using the open-source script from Forescout Research Labs
- Enforce segmentation controls and proper network hygiene
- Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable assets that balances business risk and continuity requirements
- Configure devices to rely on internal DNS servers as much as possible and closely monitor external DNS traffic
- Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible zero-day threats affecting DNS, mDNS and DHCP clients