The National Cyber Security Centre SK-CERT (hereinafter referred to as SK-CERT) warns against nine vulnerabilities in DNS implementations that allow attackers to render the service unavailable (DoS) and to execute any code.
Vulnerabilities reported as NAME:WRECK, can be found:
- in popular open-source operating system FreeBSD, which is used, for example, for high-performance servers in millions of networks and is also used for well-known open-source projects, such as firewalls and also in commercial devices;
- in the implementation of Nucleus NET real-time operating system Nucleus RTOS, mainly used in IoT and OT devices. Nucleus NET has more than 3 billion installations on medical devices, aerospace systems and in smart building solutions;
- in the implementation of NetX real-time operating system ThreadX RTOS, which is usually used in medical devices, various types of printers and also in industrial systems, implemented mainly in the field of energy.
Forescout Research Labs disclosed vulnerabilities in their study. This study contains complete information on vulnerabilities and how they are exploited.
Operating systems and software in which these vulnerabilities have emerged are widely used worldwide, increasing the attackers’ abilities for both automated and targeted attacks. Forescout estimates that at least 100 million devices may be impacted.
In many cases, NAME:WRECK vulnerabilities will be very difficult to fix because IoT devices are often deeply integrated into organisational systems, difficult to manage and almost impossible to update (for example due to the fact that no update is possible on these devices from the factory). In these cases, the only solution is to take thoroughly secondary measures issued by SK-CERT.
To mitigate the vulnerabilities, SK-CERT recommends to take primary and secondary measures:
- Primary measures
- Identify the devices on which the mentioned operating systems are running. Forescut has created an open-source script to detect such devices
- Update immediately affected operating systems to the latest version in all devices on which they are running and where possible
- Secondary measures
- Apply a thorough network segmentation, isolate vulnerable devices until they can be patched and restrict network communication for these devices with external environment
- The device manufacturers themselves are gradually releasing updates to affected devices. Monitor manufacturers’ activities, and as soon as the updates are released, apply them immediately
- Configure your devices to use internal DNS of the organization and monitor DNS traffic for suspicious behaviour
- Monitor network traffic and focus on a non-standard communication and malicious activities aimed at exploiting known vulnerabilities and possible 0-day vulnerabilities targeting DNS, mDNS and DHCP clients.
In any case, both primary and secondary measures need to be taken, as taking only primary or only secondary measures will not solve the vulnerability issue.
« Späť na zoznam