In real-world attacks, “a simple scenario… would have an attacker infiltrating a manufacturing network via an RCE on an exposed IoT device then causing a production line to stop by causing a DoS on an industrial controller,” Daniel dos Santos, research manager at Forescout Research Labs, said. “Similarly, the attacker could switch off the lights of a target company by leveraging a vulnerable building automation controller.”
Many of the Name: Wreck vulnerabilities stem from DNS implementations of a protocol feature called message compression. Message compression reduces the size of DNS messages, due to DNS response packets often including the same domain name. This compression mechanism has been problematic to implement on products for 20 years, said researchers, causing issues on DNS servers, enterprise devices and, more recently, TCP/IP stacks. Forescout researchers disclosed three flaws relating to message compression during previous research into TCP/IP vulnerabilities (particularly the Ripple20 and AMNESIA:33 sets of flaws). Consequently, they hunted for other similar types of flaws in other protocol stacks.
As part of the ensuing Name: Wreck research, researchers found DNS message compression vulnerabilities in four popular TCP/IP stacks, including FreeBSD (version 12.1), IPnet (version VxWorks 6.6), NetX (version 6.0.1) and Nucleus Net (version 4.3). The most critical flaws exist in FreeBSD, popular IT software used by high-performance servers in millions of IT networks, including major websites such as Netflix and Yahoo; and in Siemens’ Nucleus NET firmware, which has been used for decades by critical OT and Internet-of-Things (IoT) devices.