Estimated Devices Affected
Vedere Labs, partnering with JSOF Research, disclosed NAME:WRECK, a set of Domain Name System (DNS) vulnerabilities that have the potential to cause either Denial of Service (DoS) or Remote Code Execution, allowing attackers to take targeted devices offline or to gain control over them. The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface.
Dive into the Research
Explore underlying problems related to Domain Name System protocol complexity. This report discloses nine vulnerabilities affecting four popular TCP/IP stacks and proposes solutions for network operators (enterprise customers) and IoT/OT software developers. Learn which devices are vulnerable and get advice for fixing a problem that many researchers believe is more widespread than currently known.
Learn How Forescout Can Help
What risk does NAME:WRECK pose to your organization and what actions can you take? Forescout recently released an open-source script to discover devices running the vulnerable TCP/IP stacks. Our FAQ includes insights into patching and remediation, segmentation enforcement, configuring devices to rely on internal DNS servers and monitoring network traffic for malicious packets.
Commitment to the Cybersecurity Community
As part of the NAME:WRECK disclosure, Vedere Labs shares with the cybersecurity community the following artifacts:
- A technical report in which we discuss six DNS anti-patterns (implementation problems common in different TCP/IP stacks) and provide researchers and developers around the world with tools and knowledge enabling them to tackle the issue in other stacks
- An updated open-source script to identify possible vulnerable devices on a network
- A library of open-source Joern queries to be used by researchers and software developers to (partially) automate the finding of DNS-related vulnerabilities
- Samples of malicious traffic captures (available upon request) to be used by researchers and security analysists to test their intrusion detection systems
- A draft of an informational RFC discussing the identified anti-patterns to guide developers in avoiding making the same mistakes while writing future DNS implementations
- Identify devices running the vulnerable stacks using the open-source script from Vedere Labs
- Enforce segmentation controls and proper network hygiene
- Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable assets that balances business risk and continuity requirements
- Configure devices to rely on internal DNS servers as much as possible and closely monitor external DNS traffic
- Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible zero-day threats affecting DNS, mDNS and DHCP clients