Connected routers and devices including network cameras from companies including Netgear, Linksys and Axis as well as devices using Linux distributions like Embedded Gentoo were found to be affected by the poisoning vulnerability Domain Name System (DNS) exists in two common libraries used for connected devices. The exact models affected by the vulnerability are not disclosed by the researchers who discovered its existence because the vulnerability remains unpatched. However, the vulnerable libraries are already in use by a large number of vendors, including several well-known Internet of Things (IoT) and router manufacturers.
Researchers at IT security firm Nozomi Networks speak that DNS implementations of all versions of the uClibc and uClibc-ng libraries carry a DNS poisoning bug that attackers can exploit to redirect users to malicious servers and steal information shared across affected device. The issue was first discovered last year and was disclosed to over 200 vendors in January.
While uClibc has been used by vendors including Netgear, Linksysand Axis and is part of Linux distributions like Embedded Gentoo, uClibc-ng is a fork designed for OpenWRT – popular open source operating system for routers. This shows the wide scope of the vulnerability that could affect a large number of users around the world.
The vulnerability in both libraries allows an attacker to predict a parameter called the transaction ID which is usually a unique number for each request made by the client to protect communication through DNS.
Under normal circumstances, if the transaction ID is not available or different from the one generated on the client side, the system will discard the response. However, because the vulnerability gives the predictability of the transaction ID, an attacker who can predict the final number will spoof the legitimate DNS and redirect the requests to a spoofed Web server or a scam website.
The researchers also note that the DNS poisoning attacks also allow attackers to initiate further Man-in-the-Middle attacks that can help them steal or manipulate information owned by people transmit or even compromise devices carrying vulnerable libraries.
“Because this vulnerability has yet to be patched, for the safety of the community, we cannot disclose the specific devices we have tested. However, we can disclose that they are a single device. A series of well-known IoT devices running the latest firmware version are highly likely to be deployed across all critical infrastructures by Andrea Palanca, a security researcher at Nozomi Networks.
The uClibc-ng maintainer wrote in an open forum that they were unable to fix the problem at the end. Likewise, uClibc has not received an update since 2010, according to the details available on download page of the library, as found that by Ars Technica.
However, equipment vendors are currently working to assess the problem and its impact.
Netgear issue a statement to acknowledge the impact of the vulnerability on its devices.
“Netgear is aware of an industry-wide disclosure of security vulnerabilities in the uClibc and uClibc-ng embedded C libraries affecting a number of products. Netgear is evaluating which products are affected. All Netgear products both randomly use the source port, and we’re not currently aware of the company indicating any specific exploits that could be used against the affected products.
It also ensures that it will continue to investigate the issue and, if a fix becomes available in the future, will assess whether the fix is applicable to affected Netgear products.
Gadgets 360 has also reached out to vendors including Linksys and Axis for their comments on the vulnerability and will update this article as they respond.
