Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/29/2021
05:55 PM
50%
50%

Researchers Connect Complex Specs to Software Vulnerabilities

Following their release of 70 different vulnerabilities in different implementations of TCP/IP stacks over the past year, two companies find a common link.

Six common mistakes in implementing network software led to scores of vulnerabilities, highlighting the impact that complex design requirements and ambiguous specifications can have on software security, according to two security researchers who plan to talk about at next week's Black Hat Asia conference. 

Daniel dos Santos, research manager at network security firm Forescout, and Shlomi Oberman, CEO of security consultancy JSOF, will discuss their teams' collaborative work on defining six anti-patterns, or common software mistakes, that have led to vulnerabilities in a variety of TCP/IP stacks. The two companies have disclosed a litany of vulnerabilities over the past year, many of them caused by one of the six anti-patterns.

Related Content:

DNS Vulnerabilities Expose Millions of Internet-Connected Devices to Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

Ambiguity and complexity in the DNS protocol has caused the issues, dos Santos says.

"Because of the complexity of the DNS specification, vulnerability types that we have known about for 20 years are appearing in implementations of network stacks," he says. "The more complex the software or protocol gets, the more difficult the protocol is to implement, so we need to make them as least complex as possible, which is not always possible."

Earlier this month, Forescout and JSOF disclosed nine vulnerabilities that affected four different TCP/IP stacks and could affect hundreds of millions of Internet of Things (IoT) and network devices. The vulnerabilities, dubbed "NAME:WRECK" by the companies, are the latest disclosures coming from their research into the vendor implementations that handle domain-name system (DNS) traffic. Their research, dubbed Project Memoria, also includes "Ripple20," a set of 19 vulnerabilities that affected the Treck TCP/IP stack, among others; "AMNESIA:33," a set of 33 vulnerabilities affecting four different open source TCP/IP stacks; and "NUMBER:JACK," a set of nine vulnerabilities affecting implementations of initial sequence numbers (ISN).

The companies evaluated 15 different networking software implementations, often called a "stack," and found seven had vulnerabilities due to errors in implementing a specific DNS feature. 

"In Project Memoria, we learned that often the same mistake—anti-pattern—leads to similar vulnerabilities in different stacks," the researchers stated in a technical report published earlier this month. "We urge developers of TCP/IP stacks that have—yet—been analyzed to take the anti-patterns ... [and] check their code for the presence of bugs and fix them."

The latest set of vulnerabilities occur in how different vendors implemented a DNS feature known as message compression. Because DNS responses often include the name of the specific domain several times, message compression allows software implementations to reduce the size of the DNS messages.

The researchers' discussion at Black Hat Asia will focus on how complexity in the specification — specifically, the technical details to implement message compression — has led to a variety of different vulnerabilities. In one case, one word — "may" versus "must" — resulted in different security issues due to a single anti-pattern. 

"It is noteworthy that when a stack has a vulnerable DNS client, there are often several vulnerabilities together, but the message compression anti-pattern stands out because it commonly leads to potential [remote code execution], as it is often associated with pointer manipulation and memory operations," according to the report.

As part of their research, the companies have released a technical report that discuss the six DNS anti-patterns, an open source script to identify vulnerable devices in the network, a set of queries to search for vulnerable network devices, and an amended request for comment (RFC) draft that contains more information for developers on how to avoid certain implementation mistakes. 

"This research is further proof that DNS protocol complexity leads to several vulnerable implementations and that the community should act to fix a problem that we believe is more widespread of what we currently know," the companies stated in their report.

While the vulnerabilities have been disclosed and affected vendors have issued patches for the issues, dos Santos worries that patching will not happen swiftly.

"This type of research really highlights that there is a supply chain issue with IoT devices. Any vulnerability patched by a vendor still has to be deployed to the software," he says. "But patching is difficult. Each device in your network may be vulnerable. Each probably has a different procedure to patch, and you have to take them offline."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20505
PUBLISHED: 2021-07-29
The PowerVM Logical Partition Mobility(LPM) (PowerVM Hypervisor FW920, FW930, FW940, and FW950) encryption key exchange protocol can be compromised. If an attacker has the ability to capture encrypted LPM network traffic and is able to gain service access to the FSP they can use this information to...
CVE-2020-36239
PUBLISHED: 2021-07-29
Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 e...
CVE-2021-37578
PUBLISHED: 2021-07-29
Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malic...
CVE-2021-23416
PUBLISHED: 2021-07-28
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input.
CVE-2021-23417
PUBLISHED: 2021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.