Unpatched DNS Bug Affects millions of Routers and IoT Devices

A vulnerability in the domain name system (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at DNS poisoning attack risk.

A threat actor can use DNS poisoning or DNS spoofing to redirect the victim to a malicious website hosted at an IP address on a server controlled by the attacker instead of the legitimate location.

The library uClibc and its fork from the OpenWRT team, uClibc-ng. Both variants are widely used by major vendors like Netgear, Axis, and Linksys, as well as Linux distributions suitable for embedded applications.

According to researchers at Nozomi Networks, a fix is not currently available from the developer of uClibc, leaving products of up to 200 vendors at risk.

Also Read: AI Auditing Framework: Draft Guidance for Organizations

Vulnerability details

The uClibc library is a C standard library for embedded systems that offers various resources needed by functions and configuration modes on these devices.

The DNS implementation in that library provides a mechanism for performing DNS-related requests like lookups, translating domain names to IP addresses, etc.

Nozomi reviewed the trace of DNS requests performed by a connected device using the uClibc library and found some peculiarities caused by an internal lookup function.

After investigating further, the analysts discovered that the DNS lookup request’s transaction ID was predictable. Because of this, DNS poisoning might be possible under certain circumstances.

Flaw implications

If the operating system doesn’t use source port randomization, or if it does but the attacker is still capable of brute-forcing the 16-bit source port value, a specially-crafted DNS response sent to devices using uClibc could trigger a DNS poisoning attack.

Also Read: How to Make Data Protection Addendum Template in Simple Way

DNS poisoning is practically tricking the target device into pointing to an arbitrarily defined endpoint and engaging in network communications with it.

By doing that, the attacker would be able to reroute the traffic to a server under their direct control.

“The attacker could then steal or manipulate information transmitted by users and perform other attacks against those devices to completely compromise them. The main issue here is how DNS poisoning attacks can force an authenticated response,” – Nozomi Networks