October 2, 2022

Routers and connected devices including network cameras from companies including Netgear, Linksys, and Axis as well as the ones using Linux distributions such as Embedded Gentoo are found to be affected by a domain name system (DNS) poisoning flaw that exists in two popular libraries used for connected devices. Exact models impacted by the vulnerability are not revealed by the researchers who have discovered its existence since the loophole is yet to be patched. However, the vulnerable libraries have been used by a large number of vendors, including some of the renowned router and Internet of Things (IoT) device makers.

The researchers at IT security firm Nozomi Networks said that the DNS implementation of all versions of libraries uClibc and uClibc-ng carried the DNS poisoning flaw that an attacker can exploit to redirect users to malicious servers and steal the information shared through the affected devices. The issue was first discovered last year and was disclosed to over 200 vendors in January.

While uClibc has been used by vendors including Netgear, Linksys, and Axis and is a part of Linux distributions such as Embedded Gentoo, uClibc-ng is a fork that is design for OpenWRT — the popular open-source operating system for routers. This shows the extensive scope of the flaw that could impact a large number of users around the world.

The vulnerability in both libraries enables attackers to predict a parameter called transaction ID that is normally a unique number per request generated by the client to protect communication through DNS.

In a normal situation, if the transaction ID is not available or is different from what has been generated at the client side, the system discards the response. However, since the vulnerability brings predictability of the transaction ID, an attacker can predict the number to eventually spoof the legitimate DNS and redirect requests towards a fake Web server or a phishing website.

The researchers also noted that DNS poisoning attacks also enable attackers to initiate subsequent Man-in-the-Middle attacks that could help them steal or manipulate information transmitted by users or even compromise the devices carrying the vulnerable libraries.

“Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure,” said Andrea Palanca, a security researcher at Nozomi Networks.

The maintainer of uClibc-ng wrote in an open forum that they were not able to fix the issue at their end. Similarly, uClibc has not received an update since 2010, as per the details available on the downloads page of the library, as noticed by Ars Technica.

However, device vendors are currently working on evaluating the issue and its impact.

Netgear issued a statement to acknowledge the impact of the vulnerability on its devices.

“Netgear is aware of the disclosure of an industry-wide security vulnerability in the uClibc and uClibc-ng embedded C libraries affecting some products. Netgear is assessing which products are affected. All Netgear products use source port randomisation and we are not currently aware of any specific exploit that could be used against the affected products,” the company said.

It also assured that it would continue to investigate the issue, and, if a fix would become available in the future, would evaluate whether the fix is applicable for the affected Netgear products.

Gadgets 360 has also reached out to vendors including Linksys and Axis to get their comments on the flaw and will update this article when they respond.