Threat Intel: NAME:WRECK TCP/IP Vulnerabilities Exposed

A set of 9 vulnerabilities affecting popular TCP/IP stacks
Cynerio
Apr 14, 2021

Vulnerability Information

As part of their ongoing collaboration on Project Memoria, Forescout and JSOF Research Labs discovered nine vulnerabilities in four widely-used TCP/IP stacks affecting underlying problems with Domain Name Systems (DNS) implementations. Dubbed NAME:WRECK, this new set of vulnerabilities can be added to a growing list of TCP/IP stack vulnerabilities that includes Ripple20, AMNESIA:33, and others. 

Stacks Affected

FreeBSD

A stack found in open-source Unix-like operating systems used across a variety of IT software. It is affected by  CVE-2020-7461, which can enable an attacker on the local network to remotely execute malicious/arbitrary code on the system, causing a heap-based buffer overflow. It has a CVSS base score of 7.7

IPnet

A popular stack used by the unsupported versions 6.5–7 of VxWorks, as well as OSE, Integrity, ThreadX, ITRON and ZebOS, popular RTOS run by many IoT and IT products. It is affected by CVE-2016-20009 and has a CVSS base score of 9.8 that can cause a DNS client stack-based buffer overflow on the message decompression function, resulting in remote code execution.

Nucleus NET

A stack used by decades-old firmware regularly built into IoT and OT firmware. It is regularly built into many Siemens products.  It is affected by six of the nine NAME:WRECK CVEs discovered:

  • CVE-2020-15795 - A flaw in the DNS domain name label parsing functionality that improperly validates names in DNS responses. It has a CVSS base score of 8.1 and can enable an attacker with elevated privileges to execute malicious code and cause DoS.
  • CVE-2020-27009 - A flaw in the DNS domain name record decompression functionality that improperly validates pointer offset values. It has a CVSS base score of 8.1 and can also enable an attacker with elevated privileges to execute malicious code and cause DoS.
  • CVE-2020-27736 and CVE-2020-27737- Similar to number one in this list, these CVEs improperly validate names in DNS responses due to a flaw in the DNS domain name parsing functionality. They can also cause DoS and have a CVSS base score of 6.5.
  • CVE-2020-27738 - Similar to the second CVE on this list, this CVE improperly validates pointer offset values due to a flaw in the DNS domain name record compression functionality. It has a CVSS base score of 6.5. Bad actors with elevated privileges on the network can exploit this vulnerability to cause DoS. 
  • CVE-2021- 25677 -  A flaw in the DNS client causes the improper randomization of DNS transaction IDs (TXID) and UDP port numbers. This can result in cache poisoning and spoofing attacks. It has a CVSS base score of 5.3.

NetX

An industrial-grade TCP/IP IPv4 embedded network stack used in Azure RTOS for real-time and IoT applications.This vulnerability is caused by flaws in three functions of the DNS resolver component affecting message compression. Functions _nx_dns_name_string_unencode and _nx_dns_resource_name_real_size_calculate fail to check the compression pointer’s value against the offset being parsed and can result in an infinite loop. The function _nx_dns_resource_name_real_size_calculate doesn’t execute an out-of-bounds check on packet buffers and can point forward. The vulnerability can cause DoS  and it has not yet been assigned a CVE number. It has a CVSS base score of 6.5.

Stacks affected by NAME:WRECK can also be added to the list of those vulnerable to DNS implementation in DNSpooq. Ripple20 and AMNESIA:33 also include vulnerabilities in the DNS implementation of the Treck, uIP (microIP), and PicoTCP TCP/IP stacks.

NAME:WRECK Variants

Additional ICS advisories were issued by Siemens for variants of the NAME:WRECK vulnerabilities::

  1. ICSA-21-103-14 - A remotely exploitable vulnerability with a CVSS score of 5.3 that affects Siemens Nucleus products by enabling a threat actor to spoof DNS resolving or poison the DNS cache
  2. ICSA-21-103-05 - Another two remotely exploitable vulnerabilities that can cause DoS with a CVSS score of 7.5 that affect the following Siemens products: Nucleus 4, Nucleus NET, Nucleus ReadyStart, Nucleus Source Code, VSTAR

NAME:WRECK’s Impact on Healthcare

These vulnerabilities are remotely exploitable. If any of them are successfully exploited, they could

  1. Enable remote code execution resulting in direct risk to patients (especially with devices such as infusion systems, ventilators, anesthesia and X-Ray machines)
  2. Enable threat actors to exfiltrate data (ePHI)
  3. Cause denial of service (DoS), directly affecting the functionality of critical medical devices and other IoT and OT systems essential to clinical workflow

What Medical Devices Are Vulnerable?

The four stacks affected are embedded in operating systems run by an estimated 100 million devices, many of which are medical devices or IoT and OT devices critical to the smooth operation of healthcare organizations. 

Devices running any of the listed operating systems could be vulnerable:

  • Nucleus RTOS (by Siemens)
  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) by ENEA
  • INTEGRITY (by Green Hills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON Forum)
  • ZebOS (by IP Infusion)
  • Azure RTOS

Potential specific devices that may be affected:

  • Alaris IV Pumps
  • Siemens radiology devices
  • Mindray anesthesia devices
  • Draeger Ventilator - Evita Infinity V500
  • HemoCue Hematology Analyzer Hb 201 DM
  • Various GE MRI, CT, Ultrasound and surgery systems
  • Philips C-Arms, ultrasound and APC models
  • FujiFilm SonoSite ultrasound models
  • Toshiba MRIs
  • Zoll defibrillators
  • Zonare ultrasound devices 
  • Hamilton T1 transport ventilator
  • Edwards Vigilance II patient monitor
  • Dräger ventilators, incubators, and anesthesia machine
  • Kronos 4500 Time Clocks (employee time and attendance) - Although not critical to clinical operations, they can disrupt HR operations and the general workflow

GE’s ongoing assessment has identified a  preliminary list of healthcare products affected. 

CVE-2016-20009 is the only vulnerability GE healthcare products are potentially affected by.

MRI Machines

  • Signa machines
  • Artist 
  • Discovery
  • Optima
  • Mulan Skylake

CT Machines

  • Discovery
  • Optima
  • Revolution

Surgery Systems

  • Mac-Lab devices

For the full list of affected GE products, as well as information on mitigation measures and available patches, please visit the GE Healthcare Product Security Portal.

Note: These lists will be updated as research on these vulnerabilities and affected devices/OS continues.

Recommendations

Check your inventory to understand which devices may be affected by this set of vulnerabilities. It’s also recommended to keep a close eye on security notifications sent by vendors that address these vulnerabilities. 

How Cynerio Can Help Mitigate the Threat

Cynerio works directly with vendors and our operationally-safe and proactive Zero Trust system constantly monitors networks to identify affected devices. We work with healthcare organizations to easily employ preemptive security practices and help expedite risk mitigation:

  • We flag every device with known vulnerabilities
  • We provide step-by-step mitigation plans
  • We notify you when patches are released 
  • We automatically configure policies tailored to your network and workflows
  • We streamline segmentation implementation across your network and provide the ability to monitor, test, validate, and update policies before they’re enforced so you can be confident about service continuity

Some Other Helpful Resources

https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/

https://www.computerweekly.com/news/252499233/Millions-of-devices-at-risk-from-NAMEWRECK-DNS-bugs

https://www.darkreading.com/vulnerabilities---threats/dns-vulnerabilities-expose-millions-of-internet-connected-devices-to-attack/d/d-id/1340664

https://us-cert.cisa.gov/ics/advisories/icsa-21-103-04 

https://www.gehealthcare.com/security?returnUrl=/productsecurity/vulnerability-detail

If you have any questions or concerns, please don’t hesitate to contact us immediately.


Keep your finger on the pulse of Healthcare IoT security