Forescout finds NAME:WRECK vulnerabilities in four TCP/IP stacks affecting OT firmware

Forescout

Forescout Research Labs and JSOF Research revealed the presence of NAME:WRECK, a set of nine vulnerabilities affecting four TCP/IP stacks – FreeBSD, Nucleus NET, IPnet and NetX. The vulnerabilities relate to Domain Name System (DNS) implementations, causing either Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to take target devices offline or to take control over them.

The NAME:WRECK vulnerabilities appear in IT software (FreeBSD) and in IoT/OT firmware, such as Siemens’ Nucleus NET. FreeBSD is used for high-performance servers in millions of IT networks, including websites such as Netflix and Yahoo. FreeBSD is also the basis for other open-source projects. Nucleus NET has been used for decades in several critical OT (operational technology) and IoT devices.

The security loopholes allow attackers to execute either DoS or RCE, enabling cyber hackers to take target devices offline or to take control over them, Forescout Research reported in a blog post. The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface, it added.

It is of particular interest that to exploit NAME:WRECK vulnerabilities, an attacker should adopt a similar procedure for any TCP/IP stack. “This means that the same detection technique used to identify exploitation of NAME:WRECK also will work to detect exploitation on other TCP/IP stacks and products that we could not yet analyze,” according to Forescout.

Organizations in healthcare and government sectors are likely to be the most impacted, as they use the three stacks. “If we conservatively assume that 1% of the more than 10 billion deployments discussed above are vulnerable, we can estimate that at least 100 million devices are impacted by NAME:WRECK,” Forescout said in the post.

“A cyberattack on industrial devices is something that should be taken just as seriously as attacks on IT infrastructure,” PJ Norris, Tripwire’s senior systems engineer, said in an emailed statement. “Just because OT networks are generally segregated from the outer world, doesn’t mean they are secure. With the convergence of IT and OT responsibilities, we are starting to see IT networks become part of the OT infrastructure at a very high level.”

Attacks on the OT infrastructure have a more serious impact because it has a direct effect on the lives of people, Norris said. “If a cyberattack on an OT network takes place it could result in people being without electricity, manufacturing systems going down, and the like that put people’s lives at risk,” he added.

Siemens released several security advisories warning users in the critical manufacturing sector about the NAME:WRECK vulnerabilities. Affected products include Nucleus ReadyStart, Nucleus NET, Nucleus RTOS, Nucleus 4 and VSTAR, apart from the Nucleus source code.

In addition, Siemens published advisories for security weaknesses present in a number of products, including TIM 4R-IE, SCALANCE X-200, LOGO! Soft Comfort, Siveillance Video Open Network Bridge (ONVIF), Opcenter Quality, Solid Edge, QMS Automotive, Control Center Server (CCS), Tecnomatix RobotExpert, and SINEMA Remote Connect Server products. 

The German conglomerate released patches for some of the impacted products, and it has also provided workarounds and mitigations to reduce the risk until a patch can be installed or becomes available. Siemens had in January detected seven vulnerabilities known as DNSpooq in the DNS component open source software “Dnsmasq.”

Complete protection against the NAME:WRECK vulnerabilities require patching devices running the vulnerable versions of the IP stacks, according to Forescout. FreeBSD, Nucleus NET and NetX have been recently patched, and device vendors using this software should provide their own updates to customers. 

Users are also advised to reduce their exposure to the NAME:WRECK vulnerabilities by limiting the network exposure of critical vulnerable devices using network segmentation, relying on internal DNS servers, and patching devices whenever vendors release advisories, Forescout added.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp

Author

Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox