TCP/IP stack vulnerabilities threaten IoT devices

A set of vulnerabilities in TCP/IP stacks used by FreeBSD and three popular real-time operating systems designed for the IoT was revealed this week by security vendor Forescout and JSOF Research. The nine vulnerabilities could potentially affect 100 million devices in the wild.

Nucleus NET, IPNet and NetX are the other operating systems affected by the vulnerabilities, which a joint report issued by Forescout and JSOF dubbed Name:Wreck.

In a report on the vulnerabilities, Forescout writes that TCP/IP stacks are particularly vulnerable for several reasons, including widespread use, the fact that many such stacks were created a long time ago, and the fact that they make an attractive attack surface, thanks to unauthenticated functionality and protocols that cross network perimeters.

The Domain Name System suffers from much the same issues, which are exploitable in the case of the Name:Wreck vulnerabilities.

“DNS is a complex protocol that tends to yield vulnerable implementations, and these vulnerabilities can often be leveraged by external attackers to take control of millions of devices simultaneously,” the report said.

Name:Wreck can allow for both denial-of-service attacks and remote code execution, and is likely caused by poor coding practices in the code parsing of DNS response contents, according to Eric Hanselman, a principal research analyst at 451 Research. Essentially, a key value in the system used to compress DNS responses into smaller and easier-to-move packages is not validated by the system, and can be manipulated by a bad actor.

“The difficulty with DNS attacks is that DNS responses can contain a significant amount of information,” Hanselman said. “There are so many format options that it’s not uncommon to return a significant volume of data in a DNS response, and if you’re not tracking DNS queries and you allow OpenDNS in your environment, it’s very difficult to track the response to ensure you’ve got stateful follow-up.”

The actual danger to which an organization is exposed differs based on which of the vulnerable stacks it’s using. The FreeBSD vulnerability is likely more widespread – it affects millions of IT networks, including Netflix and Yahoo, as well as traditional networking devices like firewalls and routers, according to the report, but is likely easier to fix.

“Those are manageable systems – we should be able to update them,” said Forrester senior analyst Brian Kime. “[And] they should be prioritized for remediation, because they’re part of your network stack.”

The same cannot be said, in many cases, of the real-time operating systems affected by Name:Wreck, since the standard issues that make securing IoT devices remain in play here. The ability to patch and update firmware is still not a standard feature, and the OEMs of connected devices – which may be quite old, and may not have been designed to be Internet-facing in the first place – might not even be operating any more.

In cases where those IoT devices are vulnerable, strong security has to start at the network layer, according to Hanselman. Monitoring the network directly for anomalous activity – which, again, can sometimes be difficult to detect in the case of a TCP/IP vulnerability – is a good start, but what’s really needed is techniques like DNS query protection.

“Fortunately for most organizations, DNS monitoring has become much more prevalent, because DNS is one of the best ways to do detection for ransomware,” he said. “Most organizations should have reasonable DNS query protection in place.”

The active scope of these vulnerabilities is limited by several factors, including whether affected devices have direct access to the Internet – unlikely in the case of many of the medical devices described – and how patchable they are. What’s more, it’s worth noting that none are thought to have been exploited in the wild as of yet. However, one key target to watch could be printers.

Printers are highly accessible, given that they’re more or less ubiquitous and tend not to draw a lot of security attention, according to Kime, and, once compromised, they could offer a vector through which other vulnerable devices on a network could be accessed.

“Rarely are people going to assess them for vulnerabilities, so they get exploited by threat actors,” he said. “I could see bad actors using IoT vulnerabilities as persistence once they’ve exploited something else to get into the environment.”

Name:Wreck is far from the only set of TCP/IP vulnerabilities to rear its ugly head in recent memory, of course. Forescout and JSOF, between them, have discovered several families of this type of security flaw in the past, including Ripple20, Amnesia:33 and Number:Jack within the past calendar year alone, and experts agree that further vulnerabilities are likely to come to light for the foreseeable future. For one thing, there simply aren’t that many IP stacks in existence, meaning that many are used in a huge range of applications, and that they’re generally assumed to be secure.

“It’s something where everyone assumes they can pull the IP stack from whatever their favorite [open-source software] distribution happens to be, and these should be well-hardened,” said Hanselman. “For the most part, that’s true, but networking stacks are dealing with fairly complex state management, and there can be unexpected ways to manipulate those.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.