According to researchers, an estimate of over 100 million devices that are connected to the Internet currently possess one or more flaws of a vulnerability class called NAME:WRECK.
There is a wide variety of devices that are affected by this class of flaws, including smartphones and tablets, industrial IoT (Internet of Things) devices, and even aircraft navigation systems. The devices affected by the flaws could be susceptible to Remove Code-Execution (RCE) or to Denial of Service (DoS) attacks – this is what the researchers at JSOF Research Labs and Forescout Research Labs have discovered. Some vendors of affected devices have come up with security patches for this class of vulnerabilities, but there are also many who are yet to patch out the flaws.
The NAME:WRECK class consists of nine separate vulnerabilities, all of which are related to the implementation of the DNS (Domain Name System) protocol and the TCP/IP network communication stacks. These technologies make it possible for separate devices connected to the Internet to be identified, and they also support the communication between the connected devices. The most problematic of the discovered vulns is categorized as “critical” in terms of level of severity.
Since both DNS and TCP/IP are widely used within many devices, the surface area for attack is very large which is why it is estimated that no less than 100 million devices around the globe are presently susceptible to attacks that try to exploit the NAME:WRECK bugs.
More About the NAME:WRECK Bugs
According to the Project Memoria research collective, there have been four previous major vulnerabilities related to TCP/IP within the last three years. The vulns that predate the NAME:WRECK class are Ripple20, URGENT/11, Amnesia33, as well as NUMBER:JACK. Those four flaws have, too, been spotted by Project Memoria.
The nine separate NAME:WRECK flaws have been divided into four subcategories by the experts at JSOF and Forescout, depending on the specific TCP/IP stacks and DNS that’s present in the affected devices. The four categories are Nucleus NET, FreeBSD, NetX, and IPnet.
The researchers explain that the name given to this class of bugs comes from how DNS implementations in TCP/IP could be broken (wrecked) through parsing the domain names.
Like the previous bugs related to DNS and TCP/IP, the NAME:WRECK category shows how the complexity of the Domain Name Records protocol can be exploited, enabling criminal actors to remotely establish control over thousands, if not millions, of devices at the same time.
How the DNS Compression Bug Functions
One subclass of the NAME:WRECK flaws is related to issues with the DNS compression that affects a wide variety of digital devices which communicate via TCP/IP by compressing the transferred data.
According to the specialists, the first bug (called CVE-2020-27009) allows the hacker to combine invalid compression pointers to create a fake DNS response packet and, with its help, insert arbitrary data into the memory of the targeted device.
The second of the flaws – CVE2020-15795 – enables the hackers to inject code through the abuse of domain records contained in the malware packet. To complete the attack and deliver the packet to the targeted system, the hacker uses the CVE-2021-25667 flaw to circumvent the DNS query-response.
The researchers explain that it all comes down to the way domain names are encoded using the TCP/IP stacks. Their encoding is intended to reduce the DNS messages in size, but the hackers can use this and exploit the TCP/IP flaws, thus forcing the unpacking of the compressed names which, in turn, exposes the devices that are using the TCP/IP stack.
The attackers meticulously choose the best invalid compression offsets combination that’s in the DNS packet, which makes them able to execute out-of-bounds writes within the “dst,” (destination buffer) and thus perform remote code execution.
To construct the payload and use it to overflow the domain name, the hackers typically chain together several domain labels.
The researchers have also discovered additional NAME:WRECK type flaws, including message-compression and domain and VDomain name label-arsing flaws.
The Full List of NAME:WRECK Bugs
Here is the full list of the NAME:WRECK-type vulnerabilities that have been discovered:
- CVE-2020-7461: This is a message-compression flaw and it affects device that run FreeBSD. The flaw can result in RCE (CVSS severity rating 7.7);
- CVE-2016-20009: Another message-compression vule. This one can affect devices with IPnet and can also lead to attacks of the RCE type (CVSS severity rating 9.8);
- CVE-2020-15795: This one is a domain name label-parsing flaw that is found within devices running Nucleus NET. It can be exploited for RCE (CVSS severity rating 8.1);
- CVE-2020-27009: A message-compression vulnerability – the devices impacted by it are ones running Nucleus NET – this vuln can result in RCE (CVSS severity rating 8.1);
- CVE-2020-27736: This is a VDomain name label-parsing flaw and it impacts Nucleus NET devices; can be used for DoS (CVSS severity rating 6.5);
- CVE-2020-27737: Another VDomain name label-parsing bug that affects Nucleus NET devices and can lead to DoS attacks (CVSS severity rating 6.5);
- CVE-2020-27738: This bug is a message-compression one and it s present in devices running Nucleus NET; can be used for DoS (CVSS severity rating 6.5);
- CVE-2021-25677: This is a transaction-ID flaw present on devices with Nucleus NET; can result in DNS cache-poisoning (CVSS severity rating 5.3);
- CVE-unassigned flaw: This bug is from the message-compression type and is present on devices with NetX; like the previous one, it can lead to DNS cache-poisoning attacks (CVSS severity rating 6.5).
Mitigating the Vulnerabilities
To help mitigate those flaws, researchers suggest that both users and the IT security teams of companies and organizations make a complete list of devices connected to their infrastructure that are susceptible to the NAME:WRECK bugs and monitor closely those devics. If there are security updates available for them, those need to be installed ASAP.
It is also suggested that device and network-segmentation controls are implemented to help with security. Additionally, it is a good idea to restrict/minimize the communication coming from outside the network to vulnerable devices that may be vulnerable (until new patches arrive and are installed on those devices).
One other important thing to do is configure the devices that contain the vulns to run on internal servers and also to monitor the traffic within the network for malware packets that may be trying to exploit these DNS-TCP/IP vulns.