Weak points in the TCP / IP stack threaten IoT devices

The latest vulnerability in a key part of the network stack threatens a major open source operating system, printers and IoT medical devices.

A number of vulnerabilities in the TCP / IP stacks used by FreeBSD and three popular real-time operating systems for the Internet of Things (IoT) were uncovered this week by security vendor Forescout and JSOF Research. The nine vulnerabilities could potentially affect 100 million devices in the wild.

Nucleus NET, IPNet, and NetX are the other operating systems affected by the vulnerabilities identified in a joint report by Forescout and JSOF called: Wreck.

In a report on the vulnerabilities, Forescout writes that TCP / IP stacks are particularly vulnerable for a number of reasons, including their widespread use, the fact that many such stacks were created long ago, and the fact that they did so thanks to unauthenticated functionality and protocols that cross network boundaries offer an attractive target.

The Domain Name System suffers from similar problems that can be exploited in the case of the Name: Wreck vulnerabilities.

"DNS is a complex protocol that tends to give rise to vulnerable implementations, and these vulnerabilities can often be exploited by outside attackers to take control of millions of devices simultaneously," the report said.

Name: Wreck can allow denial of service attacks as well as remote code execution and is likely caused by poor coding practices when parsing DNS response content, according to Eric Hanselman, the principal research analyst at 451 Research. Essentially, a key value in the system that is used to compress DNS responses into smaller and easier to transport packets is not validated by the system and can be tampered with by an evil actor.

“The difficulty with DNS attacks is that DNS responses can contain a significant amount of information,” says Hanselman. “There are so many format options that it is not uncommon for a significant amount of data to be returned in a DNS response, and if you don't track DNS requests and allow OpenDNS in your environment, it is very difficult to track the response to ensure you have a status-based follow-up. "

The real risk a company faces depends on which of the vulnerable stacks it is using. The FreeBSD vulnerability is likely to be more prevalent - it affects millions of IT networks, including Netflix and Yahoo, as well as traditional network devices such as firewalls and routers, the report says, but is likely easier to fix.

"These are manageable systems - we should be able to update them," said Forrester senior analyst Brian Kime. "[And] they should be prioritized when troubleshooting because they are part of the network stack."

In many cases, the same cannot be said of the real-time operating systems affected by Name: Wreck, since the standard problems in securing IoT devices remain. The ability to patch and update the firmware is still not standard, and the OEMs of the connected devices - which may be quite old and not designed for internet use in the first place - may not even be up and running.

In cases where these IoT devices are vulnerable, strong security must start at the network layer, according to Hanselman. Monitoring the network directly for anomalous activity - which in turn is sometimes difficult to detect in the case of a TCP / IP vulnerability - is a good start, but what is really needed are techniques like protecting DNS queries.

"Fortunately for most businesses, DNS monitoring is much more widespread because DNS is one of the best ways to detect ransomware," he said. "Most organizations should have decent DNS query protection in place."

The active scope of these vulnerabilities is limited by several factors, including the question of whether the affected devices have direct access to the Internet - which is unlikely in the case of many of the medical devices described - and how patchable they are. In addition, it is worth noting that none of the vulnerabilities in the wild has yet been exploited. However, an important goal to keep in mind could be printers.

According to Kime, printers are very easily accessible as they are more or less ubiquitous and typically don't pay much attention to security, and once compromised they could provide a vector through which to access other vulnerable devices on a network can be.

"They are rarely examined for vulnerabilities so that they can be exploited by threat actors," he said. "I could imagine that bad actors use IoT vulnerabilities as persistence as soon as they have exploited something else to get into the environment."

Name: Wreck is, of course, nowhere near the only set of TCP / IP vulnerabilities that have been raising their ugly heads recently. Forescout and JSOF have discovered several families of this type of vulnerability in the past, including Ripple20, Amnesia: 33, and Number: Jack in the past calendar year alone, and experts agree that more vulnerabilities will come to light in the foreseeable future. For one, there simply aren't that many IP stacks, which means that many are used in a wide variety of applications and are generally considered secure.

"It's something that everyone assumes they can pull the IP stack out of their preferred [open source software] distribution, and that it should be well hardened," said Hanselman. "By and large that's true, but network stacks are pretty complex state management and there can be unexpected ways to manipulate it."

Post a Comment