At Least 100 Million Devices Affected by "NAME:WRECK" DNS Flaws in TCP/IP Stacks

Popular TCP/IP stacks are affected by a series of Domain Name System (DNS) vulnerabilities that could be exploited to take control of impacted devices, researchers with IoT security firm Forescout reveal.


Collectively called NAME:WRECK and identified in the DNS implementations of FreeBSD, Nucleus NET, IPnet, and NetX, the flaws could also be abused to perform denial of service (DoS) attacks, to execute code remotely, or take devices offline.


The bugs were identified as part of Project Memoria, a research initiative aimed at improving the overall security of IoT devices and which has already resulted in the finding of more than 40 issues in popular TCP/IP stacks, critical components providing basic network connectivity for a wide range of devices.


Collectively referred to as AMNESIA:33 (33 bugs in four open source TCP/IP stacks) and NUMBER:JACK (nine flaws in as many stacks), the issues previously brought to light as part of Project Amnesia are as severe as the Ripple20 and URGENT/11 bugs that were detailed over the past two years.


ThreadX, FreeBSD and Siemens’ Nucleus NET are estimated to have a deployment base of roughly 10 billion devices, yet not all of them are affected. However, the researchers point out that, should only 1% of these devices be vulnerable, their number would still be above 100 million.


“The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased atta ..