DNS Flaws in Millions of IoT Devices Pose Remote Attack, Exfiltration Risk

April 13, 2021 - A group of nine DNS vulnerabilities in four popular TCP/IP stacks used in more than 100 million enterprise, consumer, and industrial IoT devices pose a critical risk of hacking or remote code execution attacks, according to a new report from Forescout Research Labs and JSOF.

Daniel dos Santos, a research manager at Forescout, explained to HealthITSecurity.com that these flaws impact a wide variety of devices, particularly those in healthcare and delivery organizations. Not just connected devices, but other types of IoT.

Overall, the report stresses the need for better mitigation of vulnerable technologies, especially around patch management and network segmentation.

Domain names identify assets online as character strings, while the “Domain Name System” (DNS), is a decentralized system and protocol that allows a requesting device to resolve desired domain names to specific IP addresses through a query of hierarchical servers.

Recently, several major vulnerabilities have been disclosed in DNS implementations, including a wormable flaw in Windows DNS servers. In March 2020, Europol warned hackers were targeting DNS servers of remote workers and healthcare with hijacking attacks.

READ MORE: Feds Issue Emergency Directive to Patch Critical DNS Server Flaw

Dubbed NAME:WRECK, the latest DNS flaws were found in FreeBSD, IPnet, Nucleus NET and NetX. These TCP/IP stacks are commonly present in well-known software and IoT or OT firmware. FreeBSD is used in high-performance servers used in millions of IT networks, while the other stacks are commonly leveraged in IoT and OT firmware.

The flaws could potentially impact organizations across all sectors, including healthcare, government, enterprise, manufacturing, and retails. The report showed that more than 180,000 devices in the US employ the vulnerable tech.

Specifically, the healthcare sector is employing the impacted stack on 1,726 Nucleus RTOS devices, the largest subset with 43 percent of all affected platforms, and 37,358 FreeBSD devices in healthcare are running the impacted IP stack, or 16 percent of all vulnerable devices.

Another 461 ThreadX RTOS devices in healthcare are operating with the known vulnerability, or 17 percent of all affected devices.

The report builds on a December disclosure of 33 flaws known as Amnesia:33, impacting more than 150 vendors and millions of IoT, IT, and OT devices. The vulnerabilities were widely spread across devices, highly modular, and utilized in undocumented, deeply embedded subsystems.

READ MORE: Microsoft Patches Critical, Wormable Flaw in Windows DNS Servers

For NAME:WRECK, the flaws are the result of two systemic weaknesses in the current way of designing and deploying mainstream software.

Researchers analyzed DNS message compression implementations in seven new TCP/IP stacks and found 50 percent are vulnerable. The assessment of 15 stacks for message compression vulnerabilities and found seven were at risk of the bug found in DNS compression.

Six securely implemented message compression and two others did not support the function, and as such, were not vulnerable.

Combined with the similar vulnerabilities, Amnesia:33 and Ripple20, and other DNS server flaws, the report highlights the serious risk posed by the commonly used tech.

“The widespread deployment and often external exposure of vulnerable DNS clients leads to a dramatically increased attack surface,” according to the report. “If exploited, bad actors can use them to take target devices offline or assume control of their operations.”

READ MORE: Report: 72% Orgs Faced Increase in IoT, Endpoint Security Incidents

“Of particular interest is that to exploit NAME:WRECK vulnerabilities, an attacker should adopt a similar procedure for any TCP/IP stack,” it added. “This means that the same detection technique used to identify exploitation of NAME:WRECK also will work to detect exploitation on other TCP/IP stacks and products that we could not yet analyze.”

To exploit these flaws, an attacker could craft a DNS response packet combined with invalid compression pointer offsets and write arbitrary data into sensitive parts of the device’s memory, then inject malicious code.

The attacker could also leverage the flaw to inject crafted, malicious code, by abusing very large domain name records within the nefarious packet. To deliver the malicious payload, the attacker can bypass DNS query-response matching by leveraging another DNS vulnerability.

Further, domain name parsing of the vulnerabilities can expose both internal and internet-connected devices to attacks, as it impacts exposed DNS clients and DHCP clients.

Specifically, an attacker can exploit one of the RCEs to gain network access through the compromise of a device issuing DNS requests to a server on the internet. The threat actor can use the compromised eternal server to persist on the network or to exfiltrate data via the internet-exposed IoT device.

“The caveat about DNS-based vulnerabilities is that they require the attacker to reply to a legitimate DNS request with a malicious packet,” the report authors wrote. “That can be achieved via a man-in-the-middle somewhere in the path between the request and the ...IoT devices being used both as entry points and for data exfiltration.”

For dos Santos, it’s imperative healthcare entities to take steps to mitigate these flaws through effective patch management, which is the ideal solution. But network segmentation is also a crucial risk reduction step,

Administrators should review the inventory of devices and access management, to ensure the devices are truly connected to what is allowed.

“When we look at internal data, sometimes medical devices are being used in the same network as personal devices and workstations. Some entities are mixing criticalities of devices or data,” dos Santos explained.

“And one device in the chain of vulnerabilities can be used by attackers as a stepping stone or entry point into the network,” he continued. “It’s important to make sure attackers cannot reach [critical devices] for their final goal.”

Besides segmentation, administrators should review tech recommendations and special protocols for DNS to ensure they’re employing best practices.