Security researchers at Forescout and JSOF have uncovered a set of nine vulnerabilities within four commonly used TCP/IP stacks. They estimate that more than 100 million devices are affected by these security flaws, which they dubbed “Name:Wreck.” They mainly affect Internet of Things (IoT) products and IT management servers. The vulnerabilities exist in both open source and proprietary stacks, including FreeBSD and Siemens’ Nucleus NET.
The flaws all pertain to how these TCP/IP stacks handle DNS servers. While they found no evidence that these holes have been used in the wild, hackers could potentially utilize them to crash a network or infiltrate a victim’s infrastructure allowing them remote control. These implications could be catastrophic for critical systems like those used in health care, manufacturing, or government networks.
The security teams disclosed the flaws to various developers, including Siemens, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, and other security tracking groups. Patches have been issued for all nine of the flaws, but that does not necessarily solve the overall problem.
“With all these findings, I know it can seem like we’re just bringing problems to the table, but we’re really trying to raise awareness, work with the community, and figure out ways to address it,” Forescout’s VP of Research Elisa Costante told Wired.
There are at least 100 million devices out there—some estimate it could be into the billions. Many run on older software, and some of them have no means for updating the code. So while patches exists, there is no way to get it out to certain devices. The researchers were not specific about which devices remain vulnerable. However, Forescout created an open-source script to help administrators track down vulnerable IoT devices and servers on the network.
They also point out that these are just nine flaws out of the 15 TCP/IP stacks they analyzed. There could be many more, but it will take time to identify them. They note that these holes exist because most of these stacks predate IoT devices. The code has always worked as intended, but security measures have evolved over the last two decades, and the software has not evolved with it.
“For better or worse, these devices have code in them that people wrote 20 years ago—with the security mentality of 20 years ago,” said Red Balloon Security CEO Ang Cui. “And it works; it never failed. But once you connect that to the internet, it’s insecure. And that’s not that surprising, given that we’ve had to really rethink how we do security for general-purpose computers over those 20 years.”
Until more devices can be replaced or updated, Forescout recommends limiting such equipment from connecting directly to the internet as much as possible. Network managers can also use an internal DNS server to route traffic. Now that the flaws are known, it should also be easier to detect intrusions that leverage them.