Vulnerabilities in FreeBSD, IPNet and Nucleus Net, associated with errors in implementation of compression in DNS

Research groups Forescout Research Labs and JSOF Research Published Results of a joint security study of various implementations Compression Schemes used for packaging repetitive names in DNS, MDNS, DHCP and IPv6 RA messages (packing of duplicate domain parts in messages including several names). In the course of the work carried out, 9 vulnerabilities , which are summarized under the codenamed name: Wreck .

Problems are identified in FreeBSD, as well as in the IPNet network subsystems, Nucleus Net and Netx, which have been distributed in real-time VXWORKS, Nucleus and Threadx operating systems used in automation, repository devices, medical devices, avionics, printers and consumer electronics. It is assumed that vulnerabilities are subject to at least 100 million devices.

  • FreeBSD Vulnerability (CVE-2020-7461) made it possible to organize the execution of your code through sending an attacker in one local network with a victim, a specially decorated DHCP packet, the processing of which a vulnerable DHCP client led to a buffer overflow. The problem softened that the DHClient process in which the vulnerability was present, was performed with rebelled privileges in an isolated Capsicum environment, to exit one more vulnerability.

    The essence of errors in incorrect verification of parameters, in the return DHCP server package C 119 -Eps DHCP, which allows you to transfer the “Domain Search” list for the resolver. Incorrect calculation of the size of the buffer needed to place unpacked domain names, led to a record controlled attacking information beyond the allocated buffer. In FreeBSD, the problem Eliminated last September. The problem can only be exploited if you have access to the local network.

  • Vulnerability in an embedded network IPNet stack used in RTOS VXWorks allows you to potentially execute the code on the DNS client side due to incorrect processing of DNS message compression. As it turned out, for the first time this vulnerability was Reads
/Media reports.