Vulnerabilities in TCP/IP stacks put IoT devices, such as printers or medical devices, at risk. German companies are also at risk.
What happened?
Nine vulnerabilities of medium to critical severity were discovered in widely used software by security researchers from JSOF and Forescout Research Labs. The identified vulnerabilities are referred to as “NAME:WRECK”. The operating systems affected are “FreeBSD”, “IPNet”, “Nucleus NET” (Siemens) and “NetX”. These are commonly used in two types of devices:
- Those that use technology to control and monitor physical machines and industrial equipment (Operational Technology).
- Devices that can send and receive data over the Internet (Internet of Things).
These can be, for example, computers, printers, smart watches, and network devices, as well as building automation, operations technology, VoIP, medical devices, systems-on-a-chip, energy and power devices in industrial control systems.
The software is used on a large scale and can be accessed via the Internet. That leads to a significantly increased attack surface. It is assumed that around 100 million devices are affected. Germany is among the top 5 countries with identified exposed devices using Nucleus NET and FreeBSD, according to the Forescout report. The healthcare sector and areas with industrial manufacturing processes are particularly at risk.
What are the risks of exploiting NAME:WRECK to my organization?
If the attackers successfully exploit the vulnerabilities, there is a possibility that the targeted devices will be taken offline. At worst, the attacker can gain control of the devices – unauthorized and unnoticed by the user.
Further background on the NAME:WRECK threat
The vulnerabilities affect the DHCP and DNS implementations of the TCP/IP stacks of the four operating systems mentioned above. The TCP/IP model helps determine how a particular system should connect to the Internet and how data should be transmitted.
FreeBSD
As the researchers point out in their report, FreeBSD is widely known to be used in millions of IT networks for high-performance servers – including major websites like Netflix and Yahoo. The most common types of devices in the device cloud running FreeBSD include computers, printers and network devices.
Nucleus NET
Nucleus NET is again used in numerous IoT and OT devices. The most common device types under Nucleus are building automation, operational technology, and VoIP.
NetX
NetX is typically run with the ThreadX RTOS. Typical applications include medical devices, systems-on-a-chip, and various printer models. The most common types of devices running ThreadX include printers, smart watches, and power and energy devices in industrial control systems.
These devices and their associated industries are likely to be most at risk. NAME:WRECK thus appears to be more of a threat to large organizations.
Fortunately, not all versions are vulnerable to what the researchers call the NAME:WRECK threat.
See the Forescout report for more background on the issue.
What can I do?
- First, check if your company is using the software/firmware mentioned above. If the company uses a specific medical device or building automation system, it is recommended to check the specifications of this device and contact the device vendor if in doubt.
- Check to see if your version is affected. The nine vulnerabilities identified by the researchers can be found on page 7 of the Forescout report. For example, to identify your version of FreeBSD, follow the instructions.
- If the software is detected on any of your devices, it must be updated to the latest version. All vendors of the vulnerable TCP/IP stacks identified in the report have been notified of these vulnerabilities and have patched them accordingly.
- Commonly recommended remediation measures for NAME:WRECK include limiting network exposure of critical vulnerable devices through network segmentation,
- Fall back on internal DNS servers.
- Device manufacturers using this software should provide their own updates to their customers. It is important to remember that full protection against NAME:WRECK requires patching devices running the vulnerable versions of the TCP/IP stacks.
- If patching is not possible for you or if you have any questions, you can always contact Perseus as a customer of our emergency support.