Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

New DNS vulnerabilities have the potential to impact millions of devices
HelpNet Security ^ | 13 April 2021 | Staff

Posted on 04/14/2021 4:04:41 AM PDT by ShadowAce

Forescout Research Labs, in partnership with JSOF, disclosed a new set of DNS vulnerabilities, dubbed NAME:WRECK.

DNS vulnerabilities

These vulnerabilities affect four popular TCP/IP stacks – namely FreeBSD, IPnet, Nucleus NET and NetX – which are commonly present in well-known IT software and popular IoT/OT firmware and have the potential to impact millions of IoT devices around the world.

FreeBSD is used for high-performance servers in millions of IT networks, including major web destinations such as Netflix and Yahoo. Meanwhile, IoT/OT firmware such as Siemens’ Nucleus NET has been used for decades in critical OT and IoT devices.

The NAME:WRECK vulnerabilities potentially impact organisations across all sectors, including government, enterprise, healthcare, manufacturing and retail.

More than 180,000 devices in the U.S. and more than 36,000 devices in the UK are believed to be affected. If exploited, bad actors can use them to take target devices offline or assume control of their operations.

“NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large scale disruption,” explains Daniel dos Santos, Research Manager, Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up to date patches for any devices running across these affected IP Stacks.”

Attack scenario

In this scenario, the attacker obtains Initial Access into an organization’s network (step 1 in the figure) by compromising a device issuing DNS requests to a server on the internet. To obtain initial access, the attacker can exploit one of the RCEs affecting Nucleus NET. The compromise can happen, for instance, by weaponizing the exploitation.

DNS vulnerabilities

Attack scenario leveraging NAME:WRECK vulnerabilities on internal and external targets

The caveat about DNS-based vulnerabilities is that they require the attacker to reply to a legitimate DNS request with a malicious packet. That can be achieved via a man-in-the-middle somewhere in the path between the request and the reply or by exploiting the queried DNS servers. Servers or forwarders vulnerable to DNSpooq and similar vulnerabilities on the way between the target device and a more authoritative DNS server, for instance, could be exploited to reply with malicious messages carrying a weaponized payload.

After the initial access, the attacker can use the compromised entry point to set up an internal DHCP server and do a Lateral Movement (step 2) by executing malicious code on vulnerable internal FreeBSD servers broadcasting DHCP requests.

Finally, the attacker can use those internal compromised servers to Persist on the target network or to Exfiltrate data (step 3) via the internet-exposed IoT device.

What bad actors could do

Some hypothetical but entirely plausible scenarios of what bad actors could do include:

Bad actors could also tap into the critical building functions of residential and commercial spaces, including major hotel chains, to endanger the safety of residents. This could include:

“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just be a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security,” warns dos Santos.


TOPICS: Computers/Internet
KEYWORDS: dns

1 posted on 04/14/2021 4:04:41 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; JosephW; martin_fierro; Still Thinking; zeugma; Vinnie; ironman; Egon; raybbr; AFreeBird; ...

2 posted on 04/14/2021 4:04:53 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

additional details https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/


3 posted on 04/14/2021 4:20:16 AM PDT by AdmSmith (GCTGATATGTCTATGATTACTCAT)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ShadowAce

We’re reaching a point of critical mass where the number of devices in the Internet ecosystem far outweighs the ability for us to manage them. AI is going to take over in this realm, but we have to program it first; and the bad guys are already busy poking holes in environments, such as IoT, where we’ve not focused a lot of attention. This is going to get (much) worse before it gets better, hence the seemingly endless parade of breaches over the last couple of years.


4 posted on 04/14/2021 4:31:21 AM PDT by rarestia (Repeal the 17th Amendment and ratify Article the First to give the power back to the people!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
More than 180,000 devices in the U.S. and more than 36,000 devices in the UK are believed to be affected.

That's actually a trivial amount of devices. The article also states that millions of FreeBSD installations exist. Clearly not all FreeBSD stacks are compromised.

5 posted on 04/14/2021 5:16:27 AM PDT by Rightwing Conspiratr1
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

FreeBSD has always had a good reputation for security.

I noticed that an offshoot, OpenBSD was not on the list.

Do you think that is because FreeBSD is so prevalent and OpenBSD is not?


6 posted on 04/14/2021 5:46:04 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 2 | View Replies]

To: Texas Fossil
TBH, I'm not overly familiar with the BSD family.

However, I've heard that OpenBSD has typically been more secure than FreeBSD.

7 posted on 04/14/2021 6:04:23 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 6 | View Replies]

To: ShadowAce

Yes. That is my understanding too. I’ve never run that OS but have considered it. It has had some exploits aimed at it, but it was designed intentionally to provide security.

I plan to move to my house at the farm in a few months, have been offered a Beta account at that location with Elon Musk’s satellite Web system. What do you think about that approach?

My intent is to become less visible on the web and am looking at VPN access too.

My wife of 47 years died in 2018, I remarried a year ago. My new bride loves the place at the farm. Currently I have the kitchen and 2 bathrooms to complete restoring, or we would be there now.


8 posted on 04/14/2021 6:25:22 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 7 | View Replies]

To: Texas Fossil

I’d try Starlink. Definitely get a VPN.


9 posted on 04/14/2021 6:28:22 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 8 | View Replies]

To: Texas Fossil

OpenBSD is much more secure “out of the box.”

OpenBSD has a stellar security record, while the other two BSDs don’t.


10 posted on 04/14/2021 6:52:29 AM PDT by ConservativeMind (Trump: Befuddling Democrats, Republicans, and the Media for the benefit of the US and all mankind.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: ConservativeMind

Thank you.


11 posted on 04/14/2021 7:37:07 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 10 | View Replies]

To: ShadowAce

OK. I appreciate your advice.

I’m old Linux user (since 1994), but not the type of network technical computer background as your’s. Networking is my weakness.


12 posted on 04/14/2021 7:38:54 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 9 | View Replies]

To: ShadowAce

[[Tampering with heating, ventilation and air conditioning systems]]

Is it hot in here, or is it just me?


13 posted on 04/14/2021 9:24:25 AM PDT by Bob434
[ Post Reply | Private Reply | To 1 | View Replies]

To: rarestia
We’re reaching a point of critical mass where the number of devices in the Internet ecosystem far outweighs the ability for us to manage them

Bruce Schneier has been talking about this for a while now. His latest book, 'Click Here to Kill Everyone' is fairly scary.

14 posted on 04/14/2021 10:17:26 AM PDT by zeugma (Stop deluding yourself that America is still a free country.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce

5 publicly known vulnerabilities:

CVE-2018-13379 Fortinet FortiGate VPN
CVE-2019-9670 Synacor Zimbra Collaboration Suite
CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
CVE-2019-19781 Citrix Application Delivery Controller and Gateway
CVE-2020-4006 VMware Workspace ONE Access

https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/


15 posted on 04/15/2021 6:10:19 AM PDT by AdmSmith (GCTGATATGTCTATGATTACTCAT)
[ Post Reply | Private Reply | To 2 | View Replies]

To: AdmSmith

Cyber attackers are scanning the internet for vulnerable Microsoft Exchange servers they can exploit to mine for cryptocurrency. “It’s basically free money rolling in for the attackers,” warn cybersecurity researchers.
https://www.zdnet.com/article/free-money-cyber-criminals-are-installing-cryptojacking-malware-on-unpatched-microsoft-exchange-servers/


16 posted on 04/15/2021 6:57:25 AM PDT by AdmSmith (GCTGATATGTCTATGATTACTCAT)
[ Post Reply | Private Reply | To 15 | View Replies]

To: ShadowAce
Further TTPs associated with SVR cyber actors

Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage.

read technical info with links to additional info:

https://media.defense.gov/2021/May/07/2002637232/-1/-1/0/ADVISORY%20FURTHER%20TTPS%20ASSOCIATED%20WITH%20SVR%20CYBER%20ACTORS.PDF

17 posted on 05/13/2021 7:43:57 AM PDT by AdmSmith (GCTGATATGTCTATGATTACTCAT)
[ Post Reply | Private Reply | To 16 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson