Reports

Millions of devices impacted by NAME:WRECK flaws

Security experts disclosed nine flaws, collectively tracked as NAME:WRECK, affecting implementations of the DNS protocol in popular TCP/IP network communication stacks.

Security researchers disclosed nine vulnerabilities, collectively tracked as NAME:WRECK, that affect implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.

The flaws were discovered by researchers from the security firm Forescout and Israeli security research teamJSOF.

The vulnerabilities could allow attackers to take full control over the device or to take them offline, the full list of flaws discovered by the experts is reported in the following table:

CVE IDStackDescriptionAffected featurePotential ImpactSeverity Score
CVE-2020-7461FreeBSD-boundary error when parsing
option 119 data in DHCP packets in dhclient(8)- attacker on the network can send crafted data to DHCP client
Message
compression
RCE7.7
CVE-2016-20009IPnet– stack-based overflow on the message decompression  functionMessage
compression
RCE9.8
CVE-2020-15795Nucleus NET– DNS domain name label parsing functionality does not
properly validate the names in DNS responses- parsing malformed responses could result in a write past the end of an allocated structure
Domain name
label parsing
RCE8.1
CVE-2020-27009Nucleus NET– DNS domain name record decompression functionality
does not properly validate the pointer offset values- parsing malformed responses could result in a write past the end of an allocated structure
Message
compression
RCE8.1
CVE-2020-27736Nucleus NET– DNS domain name label parsing functionality does not
properly validate the name in DNS responses- parsing malformed responses could result in a write past the end of an allocated structure
Domain
name label
parsing
DoS6.5
CVE-2020-27737Nucleus NET– DNS response parsing functionality does not properly
validate various length and counts of the records- parsing malformed responses could result in a read past the end of an allocated structure
Domain name
label parsing
DoS6.5
CVE-2020-27738Nucleus NET– DNS domain name record decompression functionality
does not properly validate the pointer offset values- parsing malformed responses could result in a read access past the end of an allocated structure
Message
compression
DoS6.5
CVE-2021-25677Nucleus NET– DNS client does not properly randomize DNS transaction ID (TXID) and UDP port numbersTransaction IDDNS cache poisoning/spoofing5.3
*NetX– two functions in the DNS resolver fo not check that the compression pointer does
not equal the same offset currently being parsed, potentially leading to infinite loop
Message
compression
DoS6.5

“Forescout Research Labs, partnering with JSOF Research, disclosed NAME:WRECK, a set of Domain Name System (DNS) vulnerabilities that have the potential to cause either Denial of Service (DoS) or Remote Code Execution, allowing attackers to take targeted devices offline or to gain control over them.” reads the analysis published by Forescout. “The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface.”

ù

Three TCP/IP stacks were vulnerable to DNS message compression-related bugs discovered in previous research projects like Ripple 20 and Amnesia:33, while four TCP/IP stacks were vulnerable to new bugs discovered during the more recent NAME:WRECK research push.

The researchers focus their analysis on the “message compression” feature of the DNS protocol and its implementation across TCP/IP stacks.

Forescout researchers discovered that the nine vulnerabilities impact seven of the 15 TCP/IP stacks they analyzed.

Experts pointed out that the DNS response packets can include the same domain name or a part of it several times,
the DNS message compression allows DNS servers to reduce the size of DNS replies by eliminating duplication of the domain names.

The same encoding is adopted in multicast DNS (mDNS), DHCP clients, and IPv6 router advertisements, but experts explained that several protocols do not officially support this compression because of code reuse or a specific understanding of the specifications-

DNS compression is neither the most efficient compression method nor the easiest to implement. As evidenced by the historical vulnerabilities shown in Table 1, this compression mechanism has been problematic to implement for 20 years on a diverse range of products, such as DNS servers, enterprise devices (e.g., the Cisco IP phone) and, more recently, the TCP/IP stacks Treck, uIP and PicoTCP.” reads the report published by the researchers.

The study conducted by the researchers provides technical details about the exploitation of vulnerabilities.

The researchers also described several recurring implementation issues within DNS message parsers, referred by the experts as anti-patterns (AP) that could cause the NAME:WRECK flaws.

The anti-patterns descrived in the paper are:

  • – Lack of TXID validation, insufficiently random TXID and source UDP port
  • – Lack of domain name character validation
  • – Lack of label and name lengths validation
  • – Lack of NULL-termination validation
  • – Lack of the record count fields validation
  • – Lack of domain name compression pointer and offset validation

The NAME:WRECK vulnerabilities have been already addressed in FreeBSD, Nucleus NET, and NetX.

Forescout researchers released two open-source tools that can determine the presence on a target network of devices running a specific embedded TCP/IP stack (Project Memoria Detector) and for detecting NAME:WRECK-like flaws.

“NAME:WRECK is a case where bad implementations of a specific part of an RFC can have disastrous consequences that spread across different parts of a TCP/IP stack and then different products using that stack.” concludes the report. “It is noteworthy that when a stack has a vulnerable DNS client, there are often several vulnerabilities together, but the message compression anti-pattern stands out because it commonly leads to potential RCEs, as it is often associated with pointer manipulation and memory operations.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hades ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

5 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

16 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

21 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.