Researchers Forescout and JSOF have discovered a new group of nine vulnerabilities called Name: Wreck. It potentially poses a threat to approximately 100 million devices worldwide, including IoT products and IT infrastructure management servers. Hotfix updates have already been released, and the Forescout team is providing additional solutions to help identify similar issues.

Problem and potential dangers

A new group of Name: Wreck vulnerabilities has been found in four TCP / IP stacks that integrate network communication protocols to connect devices to the Internet. Problems have been identified on operating systems such as Nucleus NET, maintained by Siemens, and the open source project FreeBSD. They all have to do with how these stacks implement the Domain Name System (DNS).

The discovered vulnerabilities allow attackers to both disconnect the device from the network and gain remote control over it. This is especially dangerous for critical infrastructure, healthcare and manufacturing. An attack on a connected device or IT server can disrupt the entire system or provide an opportunity for deeper penetration into the network.

All vulnerabilities have already been patched. However, this does not mean that the problems have been fixed on real devices: many of them work on older versions of the software. Some manufacturers do not provide mechanisms to update this code, while others use a third-party component on which it runs and therefore have no control over it.

Causes of security problems

According to Elisa Constante, vice president of research at Forescout, the project analyzed more than 15 proprietary and open TCP / IP stacks. It turned out that they all have similar weaknesses. This makes parsing new stacks easier and warns other researchers and developers of common problems, Constant says.

Researchers have not yet found traces of real attacks on new types of vulnerabilities. But given the fact that this could affect hundreds of millions or even billions of devices, this vulnerability has global consequences.

Kurt John, director of cybersecurity at Siemens in the United States, told WIRED that the company is working closely with governments and industry partners to mitigate the impact of these vulnerabilities.

The search for problems was carried out in conjunction with the developers of the patches , the Cybersecurity and Infrastructure Protection Agency of the US Department of Homeland Security and other organizations involved in tracking vulnerabilities.

Similar cases have occurred in other proprietary and open TCP / IP stacks. Such errors are quite often found in network protocols. The reason for this is the legacy code on the basis of which the technologies have evolved: it has not been updated for decades.

Ang Kui, CEO of IoT security company Red Balloon Security, says the devices use code written 20 years ago. It works, but does not provide an adequate level of security when connecting to the Internet. Kui argues that this is not surprising: at the time, people saw the issue of computer security in a completely different way.

Solutions

The vulnerable code appears over and over again, and the security realm is still unable to fix the problem. According to Kenn White, co-director of the Open Crypto Audit Project, this is largely due to the lack of economic incentives aimed at improving the quality of legacy code.

But there is good news as well.

  • Although patches for new vulnerabilities will not be distributed soon, they are already available.
  • Other temporary solutions will also help reduce the risk: connect as many devices as possible not directly to the Internet, but using an internal DNS server to route data.
  • According to Forescout’s Constantte, attacks on these vulnerabilities will be predictable enough to make them easier to detect.
  • Forescout has released an open source script to help network managers identify potentially vulnerable IoT devices and servers in their environments.
  • The company also maintains an open library of database queries that researchers and developers can use to find similar DNS-related problems.

According to Constant, this is a widespread problem that affects various types of devices. That is why Forescout is actively spreading information about it.