Pierluigi Paganini
April 13, 2021
Security researchers disclosed nine vulnerabilities, collectively tracked as NAME:WRECK, that affect implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.
The flaws were discovered by researchers from the security firm Forescout and Israeli security research teamJSOF.
The vulnerabilities could allow attackers to take full control over the device or to take them offline, the full list of flaws discovered by the experts is reported in the following table:
| CVE ID | Stack | Description | Affected feature | Potential Impact | Severity Score |
| CVE-2020-7461 | FreeBSD | -boundary error when parsing option 119 data in DHCP packets in dhclient(8)- attacker on the network can send crafted data to DHCP client | Message compression | RCE | 7.7 |
| CVE-2016-20009 | IPnet | – stack-based overflow on the message decompression function | Message compression | RCE | 9.8 |
| CVE-2020-15795 | Nucleus NET | – DNS domain name label parsing functionality does not properly validate the names in DNS responses- parsing malformed responses could result in a write past the end of an allocated structure | Domain name label parsing | RCE | 8.1 |
| CVE-2020-27009 | Nucleus NET | – DNS domain name record decompression functionality does not properly validate the pointer offset values- parsing malformed responses could result in a write past the end of an allocated structure | Message compression | RCE | 8.1 |
| CVE-2020-27736 | Nucleus NET | – DNS domain name label parsing functionality does not properly validate the name in DNS responses- parsing malformed responses could result in a write past the end of an allocated structure | Domain name label parsing | DoS | 6.5 |
| CVE-2020-27737 | Nucleus NET | – DNS response parsing functionality does not properly validate various length and counts of the records- parsing malformed responses could result in a read past the end of an allocated structure | Domain name label parsing | DoS | 6.5 |
| CVE-2020-27738 | Nucleus NET | – DNS domain name record decompression functionality does not properly validate the pointer offset values- parsing malformed responses could result in a read access past the end of an allocated structure | Message compression | DoS | 6.5 |
| CVE-2021-25677 | Nucleus NET | – DNS client does not properly randomize DNS transaction ID (TXID) and UDP port numbers | Transaction ID | DNS cache poisoning/spoofing | 5.3 |
| * | NetX | – two functions in the DNS resolver fo not check that the compression pointer does not equal the same offset currently being parsed, potentially leading to infinite loop | Message compression | DoS | 6.5 |
“Forescout Research Labs, partnering with JSOF Research, disclosed NAME:WRECK, a set of Domain Name System (DNS) vulnerabilities that have the potential to cause either Denial of Service (DoS) or Remote Code Execution, allowing attackers to take targeted devices offline or to gain control over them.” reads the analysis published by Forescout. “The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface.”
Three TCP/IP stacks were vulnerable to DNS message compression-related bugs discovered in previous research projects like Ripple 20 and Amnesia:33, while four TCP/IP stacks were vulnerable to new bugs discovered during the more recent NAME:WRECK research push.
The researchers focus their analysis on the “message compression” feature of the DNS protocol and its implementation across TCP/IP stacks.
Forescout researchers discovered that the nine vulnerabilities impact seven of the 15 TCP/IP stacks they analyzed.
Experts pointed out that the DNS response packets can include the same domain name or a part of it several times,
the DNS message compression allows DNS servers to reduce the size of DNS replies by eliminating duplication of the domain names.
The same encoding is adopted in multicast DNS (mDNS), DHCP clients, and IPv6 router advertisements, but experts explained that several protocols do not officially support this compression because of code reuse or a specific understanding of the specifications-
“DNS compression is neither the most efficient compression method nor the easiest to implement. As evidenced by the historical vulnerabilities shown in Table 1, this compression mechanism has been problematic to implement for 20 years on a diverse range of products, such as DNS servers, enterprise devices (e.g., the Cisco IP phone) and, more recently, the TCP/IP stacks Treck, uIP and PicoTCP.” reads the report published by the researchers.
The study conducted by the researchers provides technical details about the exploitation of vulnerabilities.
The researchers also described several recurring implementation issues within DNS message parsers, referred by the experts as anti-patterns (AP) that could cause the NAME:WRECK flaws.
The anti-patterns descrived in the paper are:
The NAME:WRECK vulnerabilities have been already addressed in FreeBSD, Nucleus NET, and NetX.
Forescout researchers released two open-source tools that can determine the presence on a target network of devices running a specific embedded TCP/IP stack (Project Memoria Detector) and for detecting NAME:WRECK-like flaws.
“NAME:WRECK is a case where bad implementations of a specific part of an RFC can have disastrous consequences that spread across different parts of a TCP/IP stack and then different products using that stack.” concludes the report. “It is noteworthy that when a stack has a vulnerable DNS client, there are often several vulnerabilities together, but the message compression anti-pattern stands out because it commonly leads to potential RCEs, as it is often associated with pointer manipulation and memory operations.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Hades ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
