Posted on 04/14/2021 4:04:41 AM PDT by ShadowAce
Forescout Research Labs, in partnership with JSOF, disclosed a new set of DNS vulnerabilities, dubbed NAME:WRECK.
These vulnerabilities affect four popular TCP/IP stacks – namely FreeBSD, IPnet, Nucleus NET and NetX – which are commonly present in well-known IT software and popular IoT/OT firmware and have the potential to impact millions of IoT devices around the world.
FreeBSD is used for high-performance servers in millions of IT networks, including major web destinations such as Netflix and Yahoo. Meanwhile, IoT/OT firmware such as Siemens’ Nucleus NET has been used for decades in critical OT and IoT devices.
The NAME:WRECK vulnerabilities potentially impact organisations across all sectors, including government, enterprise, healthcare, manufacturing and retail.
More than 180,000 devices in the U.S. and more than 36,000 devices in the UK are believed to be affected. If exploited, bad actors can use them to take target devices offline or assume control of their operations.
“NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large scale disruption,” explains Daniel dos Santos, Research Manager, Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up to date patches for any devices running across these affected IP Stacks.”
In this scenario, the attacker obtains Initial Access into an organization’s network (step 1 in the figure) by compromising a device issuing DNS requests to a server on the internet. To obtain initial access, the attacker can exploit one of the RCEs affecting Nucleus NET. The compromise can happen, for instance, by weaponizing the exploitation.
Attack scenario leveraging NAME:WRECK vulnerabilities on internal and external targets
The caveat about DNS-based vulnerabilities is that they require the attacker to reply to a legitimate DNS request with a malicious packet. That can be achieved via a man-in-the-middle somewhere in the path between the request and the reply or by exploiting the queried DNS servers. Servers or forwarders vulnerable to DNSpooq and similar vulnerabilities on the way between the target device and a more authoritative DNS server, for instance, could be exploited to reply with malicious messages carrying a weaponized payload.
After the initial access, the attacker can use the compromised entry point to set up an internal DHCP server and do a Lateral Movement (step 2) by executing malicious code on vulnerable internal FreeBSD servers broadcasting DHCP requests.
Finally, the attacker can use those internal compromised servers to Persist on the target network or to Exfiltrate data (step 3) via the internet-exposed IoT device.
Some hypothetical but entirely plausible scenarios of what bad actors could do include:
Bad actors could also tap into the critical building functions of residential and commercial spaces, including major hotel chains, to endanger the safety of residents. This could include:
“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just be a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security,” warns dos Santos.
additional details https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/
We’re reaching a point of critical mass where the number of devices in the Internet ecosystem far outweighs the ability for us to manage them. AI is going to take over in this realm, but we have to program it first; and the bad guys are already busy poking holes in environments, such as IoT, where we’ve not focused a lot of attention. This is going to get (much) worse before it gets better, hence the seemingly endless parade of breaches over the last couple of years.
That's actually a trivial amount of devices. The article also states that millions of FreeBSD installations exist. Clearly not all FreeBSD stacks are compromised.
FreeBSD has always had a good reputation for security.
I noticed that an offshoot, OpenBSD was not on the list.
Do you think that is because FreeBSD is so prevalent and OpenBSD is not?
However, I've heard that OpenBSD has typically been more secure than FreeBSD.
Yes. That is my understanding too. I’ve never run that OS but have considered it. It has had some exploits aimed at it, but it was designed intentionally to provide security.
I plan to move to my house at the farm in a few months, have been offered a Beta account at that location with Elon Musk’s satellite Web system. What do you think about that approach?
My intent is to become less visible on the web and am looking at VPN access too.
My wife of 47 years died in 2018, I remarried a year ago. My new bride loves the place at the farm. Currently I have the kitchen and 2 bathrooms to complete restoring, or we would be there now.
I’d try Starlink. Definitely get a VPN.
OpenBSD is much more secure “out of the box.”
OpenBSD has a stellar security record, while the other two BSDs don’t.
Thank you.
OK. I appreciate your advice.
I’m old Linux user (since 1994), but not the type of network technical computer background as your’s. Networking is my weakness.
[[Tampering with heating, ventilation and air conditioning systems]]
Is it hot in here, or is it just me?
Bruce Schneier has been talking about this for a while now. His latest book, 'Click Here to Kill Everyone' is fairly scary.
5 publicly known vulnerabilities:
CVE-2018-13379 Fortinet FortiGate VPN
CVE-2019-9670 Synacor Zimbra Collaboration Suite
CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
CVE-2019-19781 Citrix Application Delivery Controller and Gateway
CVE-2020-4006 VMware Workspace ONE Access
Cyber attackers are scanning the internet for vulnerable Microsoft Exchange servers they can exploit to mine for cryptocurrency. “It’s basically free money rolling in for the attackers,” warn cybersecurity researchers.
https://www.zdnet.com/article/free-money-cyber-criminals-are-installing-cryptojacking-malware-on-unpatched-microsoft-exchange-servers/
Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage.
read technical info with links to additional info:
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.