A set of vulnerabilities in TCP/IP stacks used by FreeBSD and three popular real-time operating systems designed for the IoT was revealed this week by security vendor Forescout and JSOF Research. The nine vulnerabilities could potentially affect 100 million devices in the wild.
Nucleus NET, IPNet and NetX are the other operating systems affected by the vulnerabilities, which a joint report issued by Forescout and JSOF dubbed Name:Wreck.
In a report on the vulnerabilities, Forescout writes that TCP/IP stacks are particularly vulnerable for several reasons, including widespread use, the fact that many such stacks were created a long time ago, and the fact that they make an attractive attack surface, thanks to unauthenticated functionality and protocols that cross network perimeters.
The Domain Name System suffers from much the same issues, which are exploitable in the case of the Name:Wreck vulnerabilities.
“DNS is a complex protocol that tends to yield vulnerable implementations, and these vulnerabilities can often be leveraged by external attackers to take control of millions of devices simultaneously,” the report said.