Unfixed DNS bug affects millions of routers and IoT devices

A vulnerability in the Domain Name System (DNS) component of a popular C standard library that is present in a wide range of IoT products can put millions of devices at risk of a DNS poisoning attack.

A hacker can use DNS poisoning or DNS spoofing to redirect the victim to a malicious website hosted at an IP address on a server controlled by the attacker instead of the legitimate location.

The uClibc library and its fork from the OpenWRT team, uClibc-ng. Both variants are widely used by major vendors such as Netgear, Axis, and Linksys, as well as Linux distributions suitable for embedded applications.

According to Nozomi Networks researchers, no patch is currently available from the developer of uClibc, which leaves products from up to 200 vendors at risk.

Vulnerability details

The uClibc library is a standard C library for embedded systems that offers various resources necessary for the functions and configuration modes of these devices.

The DNS implementation in this library provides a mechanism to perform DNS-related queries, such as lookups, translation of domain names to IP addresses, and so on.

Nozomi examined the trail of DNS queries made by a connected device using the uClibc library and found some peculiarities caused by an internal search function.

After further investigation, analysts found that the transaction ID of the DNS lookup request was predictable. For this reason, DNS poisoning may be possible under certain circumstances.

DNS lookup function4s in uClibc
DNS lookup function4s in uClibc (Nozomi)

Implications of defects

If the operating system does not use source port randomization, or if it does but the attacker is still able to brute force the 16-bit source port value, a specially crafted DNS response sent to devices using uClibc could trigger a DNS poisoning attack.

DNS poisoning is practically tricking the target device into pointing to an arbitrarily defined endpoint and engaging in network communications with it.

By doing so, the attacker could redirect traffic to a server under his direct control.

“The attacker could then steal or manipulate the information submitted by users and perform other attacks against these devices to completely compromise them. The main issue here is how DNS poisoning attacks can force an authenticated response,” – Nozomi Networks

Mitigation and repair

Nozomi discovered the flaw in September 2021 and notified CISA. Then, in December, he reported to the CERT Coordination Center, and finally, in January 2022, he disclosed the vulnerability to over 200 potentially affected vendors.

As mentioned above, there is currently no fix available for the flaw, which is now tracked as CVE-2022-05-02.

Currently, all stakeholders are coordinating to develop a viable patch and the community should play a central role in this, as this was precisely the purpose of the disclosure.

As the affected vendors will have to apply the fix by implementing the new uClibc version on firmware updates, it will take some time for the fixes to reach the end consumers.

Even then, end users will need to apply firmware updates to their devices, which is another bottleneck that delays fixing critical security flaws.

“Because this vulnerability remains unpatched, for the safety of the community, we cannot disclose the specific devices we tested on,” Nozomi says.

“We can, however, reveal that it was a range of well-known IoT devices running the latest firmware versions with a high chance of being deployed in all critical infrastructures.”

Users of IoT devices and routers should keep an eye out for new firmware releases from vendors and apply the latest updates as they become available.

About Ferdinand Caldwell

Check Also

Ditch Your Old Wi-Fi Modem Router and Switch to Mesh Networking with VDSL

The TP-Link AX1800 VDSL Whole Home Mesh Wi-Fi 6 Router is a dual-band wireless access …