Security researchers have revealed nine vulnerabilities in four different TCP/IP stacks, which could expose more than 100 million IoT devices to attacks.
The TCP/IP stacks are fertile terrain for vulnerabilities. Researchers often find problems with these stacks, and the fact that they are so widely used only means that the potential impact is often difficult to gauge. Since the definition of IoT devices implies that they are always connected to the Internet, any vulnerability in the stack governing that interaction will likely cause a problem.
This new stack of vulnerabilities identified by Forescout and JSOF Research are severe enough to warrant a name, NAME:WRECK. They affect four popular stacks from FreeBSD, Nucleus NET, IPnet and NetX.
For example, Nucleus NET is part of Nucleus RTOS, an operating system used in hospitals, critical systems in the aviation industry, and numerous automation devices. NetX fills similar market niches, and FreeBSD is present in servers, open-source projects, and much more. All of these total billions of deployed devices. While not all of them are affected, a conservative estimate is that at least one percent is affected, which means around 10 million devices.
“These vulnerabilities relate to Domain Name System (DNS) implementations, causing either Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to take target devices offline or to take control over them,” say the researchers. “The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface.”
The disclosure for these vulnerabilities was made after the developer issued patches for the affected systems, but with such a large volume of devices, it will take a long time for the patches to disseminate into the wild. And that’s not even counting the devices that can’t be patched because it depends on other hardware.
The security researchers issued a few possible mitigations, but the best solution would be to patch the systems as soon as possible.