Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

NAME:WRECK Vulnerabilities Impact Millions of Smart and Industrial Devices (therecord.media) 21

Catalin Cimpanu, reporting at Record: Security researchers have found a new set of vulnerabilities that impact hundreds of millions of servers, smart devices, and industrial equipment. Called NAME:WRECK, the vulnerabilities have been discovered by enterprise IoT security firm Forescout as part of its internal research program named Project Memoria -- which the company describes as "an initiative that aims at providing the cybersecurity community with the largest study on the security of TCP/IP stacks." Although never visible to end-users, TCP/IP stacks are libraries that vendors add to their firmware to support internet connectivity and other networking functions for their devices. These libraries are very small but, in most cases, underpin the most basic functions of a device, and any vulnerability here exposes users to remote attacks. The NAME:WRECK research is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years, and the third set disclosed part of Project Memoria.
This discussion has been archived. No new comments can be posted.

NAME:WRECK Vulnerabilities Impact Millions of Smart and Industrial Devices

Comments Filter:
  • by RightwingNutjob ( 1302813 ) on Tuesday April 13, 2021 @01:57PM (#61269666)

    that doesn't need to be plugged into the internet.

    Why people didn't learn this lesson after the 90s is beyond my ability to fully understand without resorting to unflattering assumptions about the people who continue to think they can get away with it.

    • that doesn't need to be plugged into the internet.

      Why people didn't learn this lesson after the 90s is beyond my ability to fully understand without resorting to unflattering assumptions about the people who continue to think they can get away with it.

      Then however will I know if I don't receive a text to my phone when my toast is done? /s

    • There were some solid attempts at this, which never really caught on with the general public, often due to a set of problems.
      1. Home Servers: In the early 2000's Microsoft especially tried to push the idea of a Server for your home, that dealt with a lot of the current IoT crap that is out there. It would download and cache movies, via media center, backup you personal devices, control some local equipment, manage your schedules etc. This would allow a lot of these services to be ran without an internet co

      • The problems here aren't so much about home devices, we know those are crap and rushed to market and gullible consumers. But there are industrial and medical devices that do need network connectivity. Often these are private networks, and then you rely upon the IT grunts to keep things secure even though they may be on a tight budget.

      • by sjames ( 1099 )

        Nobody needs a $2000 PC to act as a home server. The computational demand just isn't that high. Devices auto-configure using DHCP. Since a typical home network will be fairly small, devices could find the home server via a periodic broadcast packet.

        Phones do WiFi as well, so no problem using it as the universal remote on a home-based server. Registration could be done by QR code, the same way you enable the web app for WhatsApp or the desktop app for Signal.

        Worst case, connecting to the home server remotely

    • Things that are classified as Internet of Things sorta need to have access to the Internet. This is like saying don't drive on the roads and you won't get into a car wreck.

      Certainty these devices should be behind a firewall and network segmented.

      • Bingo. The problem is classifying things as iot that don't need to be.

        My refrigerator does not need to be iot. There is no reason it should be possible to turn it off from half a continent away.

        My toaster does not need to text me when my toast is ready.

        While the map in my car may require an internet connection, there should be no mechanism that allows packets from afar to cause it to move or stop moving.

      • They could be private networks using the IP protocols. Maybe that stretches the definition of IoT?

    • by gweihir ( 88907 )

      Simple: People are generally stupid and not able to learn from the experiences of others. Otherwise a lot of things would not be connected to the Internet.

  • by aaarrrgggh ( 9205 ) on Tuesday April 13, 2021 @02:13PM (#61269716)

    Apparently a DNS compression attack.

    Not sure if the Espressif controllers are vulnerable, which is where I start to get nervous.

    Key takeaway from the researchers: “DNS Standards are too Complex.”

    • by Entrope ( 68843 )

      The compression feature isn't all that complicated, though. It's basically just a pointer: instead of repeating a name sequence (like foo.example.com) that was already sent, it has the byte offset of that name sequence in the DNS response packet. This can be used, for example, when both a.foo.example.com and b.doo.example.com are mentioned in a reply.

      There are some edge cases to get right, but it's not that hard to avoid buffer overflows with this scheme.

      • by sjames ( 1099 )

        On the other hand, you only save a handful of bytes in a low bandwidth protocol. I'm not sure it's worth it.

    • Espressif uses LwIP for their high level stack. They do provide a binary driver, so there may be some layer 1 & 2 issues, but a DNS issue like this can be fixed quickly if the vulnerability is in LwIP.
    • LwIP doesn't support DNS compression, so it's not vulnerable. Simple is good.

  • by raymorris ( 2726007 ) on Tuesday April 13, 2021 @02:17PM (#61269728) Journal

    If you're using DHCP to assign an IP to a FreeBSD machine, there's a patch you should install.

    Also, if you develop any kind of embedded device, your IP stack may be vulnerable (several are).

  • I've heard PS4's firmware is FreeBSD based. Could this be "the holy grenade" of exploits, granting a kernel level access ?!
  • DNS is not part of the TCP/IP stack. DNS is an application protocol that runs over UDP (mostly) and TCP (sometimes).

    A TCP/IP stack vulnerability would be something like the Microsoft IP Flag to "execute payload with NT_AUTHORITY/SYSTEM" that they wrote into their TCP/IP stack a few years ago at the behest of the Three Letter Agencies.

    DNS vulnerabilities are application level problems and have nothing whatsoever to do with the IP stack.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...