Millions of devices impacted by NAME:WRECK flaws

Pierluigi Paganini April 13, 2021

Security experts disclosed nine flaws, collectively tracked as NAME:WRECK, affecting implementations of the DNS protocol in popular TCP/IP network communication stacks.

Security researchers disclosed nine vulnerabilities, collectively tracked as NAME:WRECK, that affect implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.

The flaws were discovered by researchers from the security firm Forescout and Israeli security research teamJSOF.

The vulnerabilities could allow attackers to take full control over the device or to take them offline, the full list of flaws discovered by the experts is reported in the following table:

CVE IDStackDescriptionAffected featurePotential ImpactSeverity Score
CVE-2020-7461FreeBSD-boundary error when parsing
option 119 data in DHCP packets in dhclient(8)- attacker on the network can send crafted data to DHCP client
Message
compression
RCE7.7
CVE-2016-20009IPnet– stack-based overflow on the message decompression  functionMessage
compression
RCE9.8
CVE-2020-15795Nucleus NET– DNS domain name label parsing functionality does not
properly validate the names in DNS responses- parsing malformed responses could result in a write past the end of an allocated structure
Domain name
label parsing
RCE8.1
CVE-2020-27009Nucleus NET– DNS domain name record decompression functionality
does not properly validate the pointer offset values- parsing malformed responses could result in a write past the end of an allocated structure
Message
compression
RCE8.1
CVE-2020-27736Nucleus NET– DNS domain name label parsing functionality does not
properly validate the name in DNS responses- parsing malformed responses could result in a write past the end of an allocated structure
Domain
name label
parsing
DoS6.5
CVE-2020-27737Nucleus NET– DNS response parsing functionality does not properly
validate various length and counts of the records- parsing malformed responses could result in a read past the end of an allocated structure
Domain name
label parsing
DoS6.5
CVE-2020-27738Nucleus NET– DNS domain name record decompression functionality
does not properly validate the pointer offset values- parsing malformed responses could result in a read access past the end of an allocated structure
Message
compression
DoS6.5
CVE-2021-25677Nucleus NET– DNS client does not properly randomize DNS transaction ID (TXID) and UDP port numbersTransaction IDDNS cache poisoning/spoofing5.3
*NetX– two functions in the DNS resolver fo not check that the compression pointer does
not equal the same offset currently being parsed, potentially leading to infinite loop
Message
compression
DoS6.5

“Forescout Research Labs, partnering with JSOF Research, disclosed NAME:WRECK, a set of Domain Name System (DNS) vulnerabilities that have the potential to cause either Denial of Service (DoS) or Remote Code Execution, allowing attackers to take targeted devices offline or to gain control over them.” reads the analysis published by Forescout. “The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface.”

name:wreck
ù

Three TCP/IP stacks were vulnerable to DNS message compression-related bugs discovered in previous research projects like Ripple 20 and Amnesia:33, while four TCP/IP stacks were vulnerable to new bugs discovered during the more recent NAME:WRECK research push.

The researchers focus their analysis on the “message compression” feature of the DNS protocol and its implementation across TCP/IP stacks.

Forescout researchers discovered that the nine vulnerabilities impact seven of the 15 TCP/IP stacks they analyzed.

name:wreck

Experts pointed out that the DNS response packets can include the same domain name or a part of it several times,
the DNS message compression allows DNS servers to reduce the size of DNS replies by eliminating duplication of the domain names.

The same encoding is adopted in multicast DNS (mDNS), DHCP clients, and IPv6 router advertisements, but experts explained that several protocols do not officially support this compression because of code reuse or a specific understanding of the specifications-

DNS compression is neither the most efficient compression method nor the easiest to implement. As evidenced by the historical vulnerabilities shown in Table 1, this compression mechanism has been problematic to implement for 20 years on a diverse range of products, such as DNS servers, enterprise devices (e.g., the Cisco IP phone) and, more recently, the TCP/IP stacks Treck, uIP and PicoTCP.” reads the report published by the researchers.

The study conducted by the researchers provides technical details about the exploitation of vulnerabilities.

The researchers also described several recurring implementation issues within DNS message parsers, referred by the experts as anti-patterns (AP) that could cause the NAME:WRECK flaws.

The anti-patterns descrived in the paper are:

  • – Lack of TXID validation, insufficiently random TXID and source UDP port
  • – Lack of domain name character validation
  • – Lack of label and name lengths validation
  • – Lack of NULL-termination validation
  • – Lack of the record count fields validation
  • – Lack of domain name compression pointer and offset validation

The NAME:WRECK vulnerabilities have been already addressed in FreeBSD, Nucleus NET, and NetX.

Forescout researchers released two open-source tools that can determine the presence on a target network of devices running a specific embedded TCP/IP stack (Project Memoria Detector) and for detecting NAME:WRECK-like flaws.

“NAME:WRECK is a case where bad implementations of a specific part of an RFC can have disastrous consequences that spread across different parts of a TCP/IP stack and then different products using that stack.” concludes the report. “It is noteworthy that when a stack has a vulnerable DNS client, there are often several vulnerabilities together, but the message compression anti-pattern stands out because it commonly leads to potential RCEs, as it is often associated with pointer manipulation and memory operations.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hades ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment