Unpatched DNS bug affects millions of routers and IoT devices

0
357

[ad_1]

A vulnerability in the Domain Name System (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at risk of DNS poisoning attack.

A threat actor can use DNS poisoning or DNS spoofing to redirect the victim to a malicious website hosted on an IP address on an attacker-controlled server instead of the legitimate location.

The uClibc library and its fork from the OpenWRT team, uClibc-ng. Both variants are widely used by major vendors such as Netgear, Axis, and Linksys, as well as by Linux distributions suitable for embedded applications.

According to Nozomi Networks researchers, there is currently no uClibc developer solution available from the developer, leaving products from up to 200 vendors at risk.

Vulnerability details

The uClibc library is a standard C library for embedded systems that provides various resources needed for functions and configuration modes on these devices.

The DNS implementation in that library provides a mechanism to perform DNS-related requests, such as lookups, translation of domain names to IP addresses, etc.

Nozomi reviewed tracking DNS requests made by a connected device using the uClibc library and found some quirks caused by an internal lookup function.

After further investigation, the analysts found that the transaction ID of the DNS lookup request was predictable. Because of this, DNS poisoning can be possible under certain circumstances.

DNS4s lookup function on uClibc
DNS4s lookup function on uClibc (Nozomi)

Defect Implications

If the operating system does not use source port randomization, or if it does, but the attacker is still able to brute-force the 16-bit source port value, a specially crafted DNS response sent to devices using uClibc could trigger DNS poisoning. stroke.

DNS poisoning virtually tricks the target device into pointing to an arbitrarily defined endpoint and engaging in network communications with it.

By doing so, the attacker could redirect traffic to a server under their direct control.

“The attacker could then steal or manipulate the information transmitted by users and perform other attacks against those devices to fully compromise them. The main issue here is how DNS poisoning attacks can force an authenticated response,” – Nozomi Networks

Mitigation and fixation

Nozomi discovered the flaw in September 2021 and informed CISA about it. Then, in December, he informed the CERT Coordination Center, and finally, in January 2022, he disclosed the vulnerability to more than 200 potentially affected vendors.

As mentioned above, there is currently no fix available for the flaw, which is now tracked at CVE-2022-05-02.

Currently, all stakeholders are coordinating to develop a workable patch and the community is expected to play a critical role in this, as this was precisely the purpose of the disclosure.

As affected vendors will have to apply the patch by implementing the new version of uClibc in firmware updates, it will take some time for fixes to reach end consumers.

Even then, end users will still need to apply firmware updates to their devices, which is another bottleneck causing delays in fixing critical security flaws.

“Because this vulnerability remains unpatched, for the safety of the community, we cannot disclose the specific devices we tested on,” says Nozomi.

“However, we can reveal that these were a range of known IoT devices running the latest firmware versions with a high probability of being deployed across critical infrastructure.”

Users of IoT devices and routers should keep an eye out for new firmware versions from vendors and apply the latest updates as soon as they become available.

[ad_2]