lswcap
Forescout, a provider of security solutions for the Internet of Things and industrial devices, has reported the existence of a vulnerability called NAME: WRECK that will affect millions of Internet of Things and industrial devices.
It was discovered by Project Memoria, a Forescout internal research program, and relates to the TCP/IP stack. The TCP/IP stack is a summary of the program for the TCP/IP communication protocol required to create apps that communicate over a LAN, and is a library that vendors have added to their firmware to support device Internet connectivity and other network functions.
This library is small and in most cases supports the most basic functions of the device. However, by using NAME : WRECK, it is possible for a malicious attacker to remotely attack a user through the TCP/IP stack. NAME: WRECK is the fifth set of vulnerabilities affecting the TCP/IP stack that have been released for the past three years. In addition to NAME: WRECK, vulnerabilities were discovered in investigations related to various mechanisms of TCP/IP communication, but NAME: WRECK was discovered not in TCP/IP communication, but in the method of handling the library DNS traffic used for them.
More precisely, the team investigated how DNS protocol message compression could be implemented across the TCP/IP stack. DNS server responses often contain multiple domain names, and some are repeated. Therefore, by using the message compression function, the DNS server can prevent duplication of the same domain name and reduce the response size.
A Project Memoria study of the message compression feature found 9 vulnerabilities affecting 7 out of 15 TCP/IP stacks.
Meanwhile, some TCP/IP stacks (FNET, cycloneTCP, uC/TCP-IP, FreeRTOS+TCP, Zephyr, OpenThread) have been found to safely implement the message compression function. Also, since the two stacks (Nut/Net, lwIP) do not support message compression, they are not affected by the vulnerability.
Forescout reports issues to developers of 4 affected TCP/IP stacks NAME : WRECK, but only 3 have released patches (FreeBSD, Nucleus NET, NetX).
Several TCP/IP stacks are releasing patches, so it seems reassuring, but in reality, the situation is far from perfect. The reason is that it takes a long time for vendors to release their own firmware updates that incorporate patches to apply patches to IoT and industrial devices. In addition, the manufacturer releases a firmware update that supports the patch, and the customer does not necessarily perform the update. Since IoT and industrial equipment using TCP/IP stack are deployed in many remote locations, it is difficult to update if they do not respond to FOTA.
Originally, some device owners aren’t even aware that their servers, smart devices, and industrial devices are using the TCP/IP stack. Therefore, it is pointed out that unfortunately many devices may remain vulnerable to attacks using NAME:WRECK.
NAME: WRECK is said to have some patterns that require the ability to manipulate victim DNS traffic, but there are also vulnerabilities that require the sending of an incorrect DNS response to a vulnerable system to allow a focused remote attack. In addition, it is said that most of the TCP/IP stack vulnerabilities discovered in this investigation come from misinterpretation of DNS standards on the part of vendors. Therefore, he points out that we may need to ask ourselves whether the DNS standard itself is too complex. Related information can be found here.
Add comment