Unpatched DNS bug puts IoT devices at risk

  • May 4, 2022
  • Steve Rogerson

An unpatched DNS bug in the popular C standard library is putting IoT devices at risk, according to Nozomi Networks Labs, which discovered the vulnerability.

The bug affects the domain name system (DNS) implementation of all versions of uClibc and uClibc-ng, a popular C standard library in IoT products.

The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.

According to their respective official web sites, uClibc is known to be used by major vendors such as Linksys, Netgear and Axis, or Linux distributions such as Embedded Gentoo. And uClibc-ng is a fork specifically designed for OpenWRT, a common OS for routers possibly deployed throughout various critical infrastructure sectors.

Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. For this reason, Nozomi has not disclosed the details of the devices on which it was able to reproduce the vulnerability.

The bug was announced in a blog by Giannis Tsaraias and Andrea Palanca. They stressed that a vulnerability affecting a C standard library can be a bit complex. Not only would there be hundreds or thousands of calls to the vulnerable function in multiple points of a single programme, but the vulnerability would affect an indefinite number of other programmes from multiple vendors configured to use that library.

In modern computer networks the DNS is a hierarchical database that serves the primary, and crucial, purpose of translating a domain name into its related IP address. DNS can be a valuable target for attackers. In a DNS poisoning attack, an attacker is able to deceive a DNS client into accepting a forged response, thus inducing a certain programme into performing network communications with an arbitrarily defined endpoint, and not the legitimate one.

A DNS poisoning attack enables a subsequent man-in-the-middle attacks because the attacker, by poisoning DNS records, can reroute network communications to a server under their control. The attacker could then steal or manipulate information transmitted by users, and perform other attacks against those devices to compromise them.

“This vulnerability remains unpatched, however we are working with the maintainer of the library and the broader community in support of finding a solution,” said the blog. “Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure. We recommend everyone increase their network visibility and security in both IT and OT environments.”