Why You Shouldn’t Take A Rain Cheque on NAME:WRECK Patch
Estimated to have affected over 100 Million devices, Forescout Research Labs, partnering with JSOF Research reported a newly disclosed set of vulnerabilities known unanimously as “NAME:WRECK” Affecting the top 4 renowned TCP/IP Stacks, FreeBSD, IPnet, Nucleus NET and NetX, it is expected that all industry sectors will be at risk following the disclosure of NAME:WRECK.
These TCP/IP Stacks are used in popular softwares and applications, for instance FreeBSD is used by giants like Netflix, Whatsapp and Apple. These applications are used by the majority of people all over the world, meaning NAME:WRECK could have a huge potential in a large scale attack.
Daniel Dos Santos, Research Manager at Forescout Research Labs had advised organisations to patch devices running on the affected IP Stacks to the latest patch released. Security patches for FreeBSD, Nuclues NET and NetX have been released since following the disclosure.
Who is affected?
Nucleus RTOS which runs on Nucleus NET is deployed in more than 3 billion devices which includes the healthcare sector such ZOLL products and critical systems, Garmin avionics navigation. NetX, run by ThreadX, has listed wearable fitness product brand such as HTC, Welch Allyn, wearable wireless monitor used in the medical field and NASA Mars Reconnaissance Orbiter as organisations using their OS. In their 2017 Press Release, ThreadX has reported a deployment of more than 6 billion devices which include more than 3 billion mobile phones and more than 1 billion consumer electronics. In conclusion, the NAME:WRECK vulnerability has impacted many different industry sectors from commercial, healthcare, retail to even government organisations.
The Potential Impact
In a scenario where the malicious actors successfully exploit the vulnerabilities in a Denial of Service (DoS) or Remote Code Execution (RCE) attack, they would be able to take control over their operations and devices offline. Other possible scenarios include, data breaches, in government organisations and hospitals. Sensitive government, business and medial data could be compromised or tweaked to disrupt daily operational activities. Building functions could also be tampered with, endangering and compromising the safety of public residents.
The main recommended measure by Forescout Research Labs is to patch the devices that are affected by NAME:WRECK however, patching the devices might be a challenge depending on whether the device is a standard IT device or IoT device. In addition, a series of mitigation measures recommended were released by Forescout Research Lab as well.
- Organisations should discover and inventory devices running on affected stacks
- Forescout has published an open-source script that uses active fingerprinting to identify affected stacks.
- The script will be updated constantly as well in accordance with their active research.
- Users should implement segmentation controls and improve Network Hygiene
- Vulnerable devices are to be isolated and external communication paths should be restricted if they are unable to be patched.
- Monitor progressively for new patches
- Map out a remediation plan for affected vulnerable device inventory in consideration to business continuity requirements.
- Affected devices to be configured to run on internal DNS Servers
- Monitor External DNS traffic as a successful exploitation would require a malicious DNS Server to reply with malicious packets.
- All Network traffic should be closely scrutinized
- Network traffic must be monitored for malicious packets attempting exploit known vulnerabilities or zero-days affecting DNS, mDNS and DHCP Clients.
NAME:WRECK has a huge potential in “wrecking” many different industry sectors, affecting lives of almost the entire human population as the name suggests. It is vital that organisations stay vigilant and updated. The Internet of Things (IoT) have connected billions of devices, transmitting data, improving the lives of many and connecting all of us together, however, that also means cybercriminals can now possibly cause a large scale attack easily. Hence, it is of utmost importance that we pay attention to updating softwares, stacks, applications, etc and we can all start by not taking a rain cheque on NAME:WRECK