Forescout Research Labs and JSOF Research have published the results of a collaborative study on the security of different implementations of a compression scheme used to pack duplicate names in DNS, mDNS, DHCP, and IPv6 RA messages (packing duplicate domain parts in messages that include multiple names). In the course of the work carried out, 9 vulnerabilities were identified, which are summarized under the code name NAME: WRECK.
Problems have been identified in FreeBSD, as well as in the IPnet, Nucleus NET, and NetX networking subsystems that have become widespread in the VxWorks, Nucleus, and ThreadX real-time operating systems used in automation devices, storage, medical devices, avionics, printers, and consumer electronics. It is estimated that at least 100 million devices are affected by the vulnerabilities.
- A vulnerability in FreeBSD (CVE-2020-7461) made it possible to organize the execution of one's own code by sending an attacker, located on the same local network as the victim, a specially crafted DHCP packet, the processing of which by a vulnerable DHCP client led to a buffer overflow. The problem was mitigated by the fact that the dhclient process, in which the vulnerability exists, was running with dropped privileges in the isolated Capsicum environment, exit from which required the identification of another vulnerability.
The essence of the error is incorrect checking of parameters in the packet returned by the DHCP server with the 119 DHCP option, which allows you to transfer the "domain search" list for the resolver. Incorrect calculation of the buffer size required to accommodate unpacked domain names led to attacker-controlled information being written outside the allocated buffer. FreeBSD fixed the problem back in September last year. The problem can only be exploited if you have access to the local network.
- A vulnerability in the embedded IPnet networking stack used in VxWorks RTOS allows code to potentially execute on the DNS client side due to improper handling of DNS message compression. As it turned out, this vulnerability was first identified by Exodus back in 2016, but was never fixed. A new request to Wind River also went unanswered and IPnet devices remain vulnerable.
- Six vulnerabilities have been identified in the Nucleus NET TCP/IP stack maintained by Siemens, of which two could lead to remote code execution and four to initiation of a denial of service. The first dangerous problem is related to an error when unpacking compressed DNS messages, and the second is due to incorrect parsing of domain name labels. Both issues result in buffer overflows when processing specially crafted DNS responses.
To exploit vulnerabilities, an attacker only needs to send a specially crafted response to any legitimate request sent from a vulnerable device, for example, by conducting an MTIM attack and wedging into the traffic between the DNS server and the victim. If an attacker has access to the local network, then he can launch a DNS server that tries to attack problem devices by sending mDNS queries in broadcast mode.
- A vulnerability in the NetX networking stack (Azure RTOS NetX), developed for ThreadX RTOS and discovered in 2019 after being taken over by Microsoft, was limited to denial of service. The problem is caused by a bug in parsing compressed DNS messages in the resolver implementation.
Of the tested network stacks, in which no vulnerabilities related to the compression of repeated data in DNS messages were found, the lwIP, Nut/Net, Zephyr, uC/TCP-IP, uC/TCP-IP, FreeRTOS+TCP, OpenThread and FNET. At the same time, the first two (Nut/Net and lwIP) do not support compression in DNS messages at all, while the rest implement this operation without errors. In addition, it is noted that the same researchers have previously identified similar vulnerabilities in the Treck, uIP and PicoTCP stacks.
Source: opennet.ru