NAME:WRECK vulnerabilities on 100 million devices

22.04.2021

NAME:WRECK vulnerabilities on 100 million devices

Vulnerabilities in TCP/IP stacks put IoT devices at risk, such as printers or medical devices. German companies are also at risk.

What happened?

Nine vulnerabilities of medium to critical severity were discovered in a widely used software by security researchers from JSOF andForescout Research Labs . The identified vulnerabilities are referred to as “NAME:WRECK”. The operating systems “FreeBSD”, “IPNet”, “Nucleus NET” (Siemens) and “NetX” are affected. These are commonly used in two types of devices:

Those that use technology to control and monitor physical machines and industrial equipment (operational technology).
Devices that can send and receive data over the Internet (Internet of Things).
These can include computers, printers, smart watches, and network devices, as well as building automation, industrial engineering, VoIP, medical devices, systems-on-a-chip, energy and power devices in industrial control systems.

The widespread use of the software and the possibility of access via the Internet lead to a significantly increased attack surface. It is believed that around 100 million devices are affected. According to the Forescout report , Germany is among the top 5 countries with identified exposed devices where Nucleus NET and FreeBSD are used. The healthcare sector and areas with industrial manufacturing processes are particularly at risk.

What are the risks for my company from exploiting NAME:WRECK?

If the attackers successfully exploit the vulnerabilities, there is a possibility that the targeted devices could be taken offline. In the worst case, the attacker can gain control of the devices – unauthorised and unnoticed by the user.

Further background on the threat of NAME:WRECK

The vulnerabilities affect the DHCP and DNS implementations of the TCP/IP stacks of the four operating systems mentioned. The TCP/IP model helps you determine how a particular system should be connected to the Internet and how the data should be transmitted.

FreeBSD

As the researchers point out in their report, FreeBSD is widely known for being used in millions of IT networks for high-performance servers, including major websites such as Netflix and Yahoo. The most common types of devices in the Device Cloud that run FreeBSD include computers, printers, and network devices.

Nucleus NET

Nucleus NET, in turn, is used in numerous IoT and OT devices. The most common device types under Nucleus are building automation, operations engineering, and VoIP.

NetX

NetX is usually operated with the RTOS ThreadX. Typical applications include medical devices, systems-on-a-chip, and various printer models. Some of the most common types of devices that run ThreadX include printers, smart watches, and power and power devices in industrial control systems.

These devices and the associated industries are expected to be the most at risk. NAME:WRECK thus seems to be more of a threat to large organizations.

Fortunately, not all versions are vulnerable to what the researchers call the NAME:WRECK threat.

You can find more background on the topic in the Forescout report .

What can I do?

First, check if your company uses the software/firmware mentioned above. If the company is using a specific medical device or building automation system, it is recommended to check the specifications of that device and contact the equipment vendor if in doubt.
Check if your version is affected. The nine vulnerabilities identified by the researchers can be found on page 7 of the Forescout report. For example, to identify your version of FreeBSD, follow the instructions.
If the software is detected on any of your devices, it must be updated to the latest version. All vendors of the vulnerable TCP/IP stacks identified in the report have been notified of these vulnerabilities and have patched them accordingly.
Generally recommended remedies for NAME:WRECK include limiting network exposure of critical vulnerable devices through network segmentation,
Use internal DNS servers.
Device manufacturers who use this software should provide their customers with their own updates. It is important to remember that full protection against NAME:WRECK requires patching devices running the vulnerable versions of the TCP/IP stacks.
If patching is not possible for you or if you have any questions, you can always contact Perseus as a customer of our emergency assistance.