NAME:WRECK: Nine DNS Vulnerabilities Found in Four Open Source TCP/IP Stacks

Nine new DNS-related vulnerabilities have been identified across TCP/IP stacks embedded in millions of devices.

Background

On April 13, 2021, researchers at Forescout and JSOFpublished a report called NAME:WRECK. The report details the discovery of nine Domain Name System (DNS) vulnerabilities across four widely used open-source TCP/IP stacks. Conservative estimates suggest that the flaws are present in over 100 million devices. NAME:WRECK is the third TCP/IP report to stem from research conducted through PROJECT:MEMORIA; the prior reports include NUMBER:JACK, which highlights nine vulnerabilities across nine TCP/IP stacks and AMNESIA:33, which details a staggering 33 vulnerabilities across four TCP/IP stacks. This research also highlights the risks involved with using open-source TCP/IP stacks in operational technology (OT), internet of things (IoT) and IT, which can affect millions of devices.

Analysis

The potential impact of these vulnerabilities includes DNS Cache Poisoning, Denial of Service (DoS) and Remote Code Execution (RCE). The nine vulnerabilities are identified in the following table:

CVE	Stack	Affected Feature	Potential Impact	CVSSv3
CVE-2016-20009	IPNet	Message compression	Remote Code Execution	9.8
CVE-2020-15795	Nucleus NET	Domain name label parsing	Remote Code Execution	8.1
CVE-2020-27009	Nucleus NET	Message compression	Remote Code Execution	8.1
CVE-2020-7461	FreeBSD	Message Compression	Remote Code Execution	7.7
CVE-2020-27736	Nucleus NET	Domain name label parsing	Denial of Service	6.5
CVE-2020-27737	Nucleus NET	Domain name label parsing	Denial of Service	6.5
CVE-2020-27738	Nucleus NET	Message Compression	Denial of Service	6.5
Not Assigned	NetX	Message Compression	Denial of Service	6.5
CVE-2021-25677	Nucleus NET	Transaction ID	DNS Cache Poisoning	5.3

Root cause analysis

The vulnerabilities stem from implementation problems within the various TCP/IP stacks due to the complexities and misinterpretation of Request for Comments (RFC) standards. For example, the standard RFC 1035, also known as 'Domain Names - Implementation and Specification,' specifies the reduction of DNS message sizes, including DNS resolvers and multicast DNS (mDNS), through a compression mechanism. To address these in the future, Forescout researchers created a draft of an informational RFC to help developers avoid making the same mistakes in DNS implementations moving forward and highlighting the identified anti-patterns from their research.

The gift that keeps on giving

In the initial research surrounding these TCP/IP stacks, most of the focus was on the implementation of the DNS message compression. Four of the Nucleus NET TCP/IP vulnerabilities in the table above (CVE-2020-15795, CVE-2020-27736, CVE2020-27737 and CVE-2021-25677) were discovered as a byproduct of the initial research. The NAME:WRECK report highlights how chaining together these four unrelated flaws with CVE-2020-27009 or CVE-2020-27738 could increase their impact and achieve RCE.

Three of the most critical DNS vulnerabilities in NAME:WRECK

CVE-2016-20009 is a stack-based buffer overflow vulnerability in the message compression function of the IPnet stack which could potentially lead to RCE. This is the most critical of the nine vulnerabilities, with a CVSSv3 score of 9.8, and, as the CVE naming structure would suggest, also the oldest. CVE-2016-20009 is actually a bug collision, as it was originally reported in 2016 by Exodus Intelligence but never assigned a CVE. Forescout and JSOF asked the original finders of the vulnerability to request a CVE ID in January 2021, agreeing it should be assigned an end-of-life CVE ID.

CVE-2020-15795 is a vulnerability in the DNS domain name labeling functionality of the Nucleus NET TCP/IP stack that improperly validates the names in the DNS responses. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.

CVE-2020-27009 is a vulnerability in the DNS domain name record decompression function of the Nucleus NET TCP/IP stack that occurs as an improper validation of the offset values in a pointer. Successful exploitation would allow an attacker with elevated privileges to write past the end of the allocated structure and execute code in the context of the current process or force a DoS condition. Exploitation would require an attacker to create a malformed DNS response to a legitimate DNS request, which would then be parsed by a vulnerable function.

Millions of devices potentially affected

The report highlighted a number of statistics for the affected TCP/IP stacks, but the most alarming statistics were associated with FreeBSD. A Shodan search result provided in the report showed that over one million FreeBSD devices were internet-facing. While this does not indicate all these devices are vulnerable, it does highlight the potential attack surface.

Source: Forescout NAME:WRECK Report

Drilling down into industry-specific figures, the report examines a dataset of 13 million proprietary devices. The numbers in the chart below are representative of over 235,000 FreeBSD devices running the affected stack/operating systems. One of the most concerning figures in this chart is the number of affected devices found within the healthcare sector. As we've reported previously, healthcare is one of the most targeted sectors, particularly by ransomware groups.

Source: Forescout NAME:WRECK Report

Exploitation scenario: Let's get creative

The NAME:WRECK report demonstrates one possible scenario that was tested to gain a foothold on a target network using the Nucleus TCP/IP stack as an example. According to the report, the steps involved were as follows:

1. Initial access to an organization's network is obtained by exploiting one of the Nucleus Net RCE vulnerabilities and compromising a device issuing DNS requests to a server on the internet. This highlights the key caveat with exploiting DNS-based vulnerabilities: an attacker needs to reply to a legitimate DNS request with their malicious packet. There are a few ways this can be achieved including man-in-the-middle (MitM) attacks targeting the queried DNS servers themselves using known vulnerabilities such as DNSpooq, a list of vulnerabilities disclosed in dnsmasq by JSOF earlier this year.
2. Once the attacker has gained initial access, they could move laterally by setting up a Dynamic Host Configuration Protocol (DHCP) server and leveraging this to target FreeBSD servers broadcasting DHCP in order to execute malicious code on them.
3. The final step involves using these compromised servers to maintain persistence on the network and/or exfiltrate data via the internet-connected device that was used to gain the initial foothold.

Source: Forescout NAME:WRECK Report

Proof of concept

At the time this blog post was published, there was one proof-of-concept (PoC) available for CVE-2020-7461, the message compression vulnerability in FreeBSD. This particular PoC will only result in a DoS condition.

Solution

Each of the maintainers/vendors of the vulnerable TCP/IP stacks identified in the report were notified of these flaws. FreeBSD, NucleusNET and NetX stacks have been patched recently. The following table contains the list of the stacks, their vulnerable versions and fixed versions (if available).

Affected TCP/IP Stack	Fixed Versions
FreeBSD	12.1 Revision 365010
Nucleus NET	5.2
Nucleus NET	4.1.0
NetX	6.1
IPNet	Not Available

While these vulnerabilities may be addressed by their relevant vendors, there are millions of devices worldwide implementing these stacks spanning hundreds of manufacturers. Action is required by these manufacturers to ensure that fixes are deployed for their vulnerable devices.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. Please note that at the time this blog post was published, the NetX vulnerability did not have a CVE assigned to it yet. We will update this blog post once a CVE is assigned.

Get more information

• NAME:WRECK Report PDF
• Tenable Blog Post for NUMBER:JACK
• Tenable Blog Post for AMNESIA:33

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.