Forescout Research Labs, in partnership with JSOF, has disclosed a new set of DNS vulnerabilities, dubbed NAME:WRECK.

The vulnerabilities affect four popular TCP/IP stacks – namely FreeBSD, IPnet, Nucleus NET and NetX – which are commonly present in well-known IT software and popular IoT/OT firmware, and have the potential to impact millions of IoT devices around the world.

FreeBSD is used for high-performance servers in millions of IT networks, including major web destinations such as Netflix and Yahoo. Meanwhile, IoT/OT firmware such as Siemens’ Nucleus NET has been used for decades in critical OT and IoT devices.

The NAME:WRECK vulnerabilities potentially impact organisations across all sectors, including government, enterprise, healthcare, manufacturing and retail. In the UK, more than 36,000* devices are believed to be affected. If exploited, bad actors can use them to take target devices offline or assume control of their operations.

"NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large scale disruption," explains Daniel dos Santos, research manager, Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up-to-date patches for any devices running across these affected IP Stacks.”

Some hypothetical, but entirely plausible, scenarios of what bad actors could do, posited by Forescout, include:

• Exposing government or enterprise servers, by accessing sensitive data, such as financial records, intellectual property or employee/customer information
• Compromising hospitals, by connecting to medical devices to obtain healthcare data, taking them offline and preventing healthcare delivery
• Impacting manufacturing, by obtaining access to factory/plant networks to tamper with production lines
• Shutting down retailers, by switching off lights connected to their building automation controllers.

Bad actors could also tap into the critical building functions of residential and commercial spaces, including major hotel chains, to endanger the safety of residents, the company adds. This could include:

• Tampering with heating, ventilation and air conditioning systems
• Disabling critical security systems, such as alarms and door locks
• Shutting down automated lighting systems.

"Unless urgent action is taken to adequately protect networks and the devices connected to them,” warns dos Santos, “it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.”