TCP/IP-Stack-Schwachstelle bedroht IoT-Geräte

Security vendors Forescout and JSOF Research this week disclosed a set of vulnerabilities in the TCP/IP stack used by FreeBSD and three popular real-time operating systems designed for the Internet of Things. These nine vulnerabilities could affect 100 million devices.

Nucleus NET, IPNet and NetX are other operating systems affected by the vulnerability, which a joint report published by Forescout and JSOF named Name:Wreck.

Forescout wrote in a report on the vulnerability that TCP/IP stacks are particularly vulnerable for several reasons, including their widespread use, the fact that many such stacks were created a long time ago, and the fact that they create an attractive attack surface. , thanks to unauthenticated capabilities and protocols across network boundaries

The Domain Name System suffers from many of the same issues, which can be exploited in the case of the Name:Wreck vulnerability.

“DNS is a complex protocol that often results in vulnerable implementations that can often be exploited by external attackers to control millions of devices simultaneously,” the report states.

Name: Wreck can allow denial of service attacks and remote code execution, and may be caused by poor coding practices in code parsing of DNS response content, according to Eric Hanselman, principal research analyst at 451 Research. Essentially, the key values ​​in the system used to compress DNS responses into smaller and more mobile packages are not validated by the system and can be manipulated by bad actors.

“The difficulty with DNS attacks is that the DNS response can contain a lot of information,” Hanselman said. “There are so many formatting options that it’s not uncommon to have a lot of data returned in a DNS response, and if you don’t track DNS queries and allow OpenDNS in your environment, it’s difficult to track the response to make sure you have the status to follow up.”

The actual danger an organization faces varies based on the vulnerable stack it uses. The FreeBSD flaw may be more widespread – affecting millions of IT networks, including Netflix and Yahoo – as well as traditional network equipment such as firewalls and routers, but may be easier to fix, the report said.

“These are manageable systems – we should be able to update them,” said Brian Kime, senior analyst at Forrester. “[And] they should be prioritized for remediation because they are part of your network stack.”

In many cases, this is not the case for real-time operating systems affected by Name:Wreck, as issues with standards for securing IoT devices remain. The ability to patch and update firmware is still not a standard feature, the OEM of the connected device is likely to be very old, and may not have been designed to be internet-facing in the first place – it may not even be functional anymore.

With these IoT devices vulnerable to attack, strong security must start at the network layer, Hanselman said. Directly monitoring the network for anomalous activity (again, sometimes difficult to detect in the case of TCP/IP vulnerabilities) is a good start, but what is really needed are technologies like DNS query protection.

“Fortunately, DNS monitoring has become more common for most organizations because DNS is one of the best ways to detect ransomware,” he said. “Most organizations should have reasonable protection against DNS queries.”

The scope of activity of these vulnerabilities is limited by several factors, including whether the affected devices have direct access to the Internet—unlikely in the case of many of the medical devices described—and how patchable they are. What’s more, it’s worth noting that none are currently thought to have been exploited in the wild. However, one key target to watch may be printers.

According to Kime, printers are highly accessible because they are more or less ubiquitous and tend not to attract much security attention, and if compromised, they can provide a vector through which to Access other vulnerable devices on the network.

“Their vulnerabilities are rarely assessed, so they are exploited by threat actors,” he said. “I could see bad actors using IoT vulnerabilities as persistence once they leverage something else to get into the environment.”

Name: Of course, Wreck is far from the only ugly set of TCP/IP vulnerabilities in recent memory. Forescout and JSOF have discovered several such families of security vulnerabilities in the past year alone, including Ripple20, Amnesia:33, and Number:Jack, and experts agree that more are likely to be discovered in the foreseeable future. On the one hand, there simply aren’t that many IP stacks out there, which means many IP stacks are used in a large number of applications and are generally considered secure.

“In this case, everyone thinks they can pull the IP stack from their favorite [open source software] distribution, and those should be well-enhanced,” Hanselman said. “In most cases, this is true, but the network stack is dealing with quite complex state management, and there may be unexpected ways to manipulate these.”

Kontakt