Routers and connected devices, including network cameras from companies including Netgear, Linksys and Axis, as well as those using Linux distributions such as Embedded Gentoo, are found to be affected by a domain name system (DNS) poisoning error that exists in two popular libraries used. for paired devices. Exact models affected by the vulnerability are not revealed by the researchers who discovered its existence, as the loophole still needs to be fixed. However, the vulnerable libraries have been used by a large number of vendors, including some of the well-known router and Internet of Things (IoT) device manufacturers.
The researchers at IT security firm Nozomi Networks said that the DNA implementation of all versions of libraries uClibc and uClibc-ng contained the DNA poisoning error that an attacker could exploit to redirect users to malicious servers and the information provided by the affected devices are shared, stolen. The problem was first discovered last year and was announced to more than 200 suppliers in January.
While uClibc has been used by vendors including Netgear, Linksys and Axis and is part of Linux distributions such as Embedded Gentoo, uClibc-ng is a fork designed for OpenWRT – the popular open source operating system for routers. It shows the extensive extent of the bug that can affect a large number of users around the world.
The vulnerability in both libraries allows attackers to predict a parameter called transaction ID which is normally a unique number per request generated by the client to protect communication through DNA.
In a normal situation, if the transaction ID is not available or differs from what was generated on the customer’s side, the system discards the answer. However, since the vulnerability involves the predictability of the transaction ID, an attacker could predict the number to eventually cheat the legitimate DNA and redirect requests to a fake web server or phishing site.
The researchers also noted that DNA poisoning attacks also enable attackers to launch subsequent Man-in-the-Middle attacks that can help them steal or manipulate information transmitted by users or even the devices that the vulnerable libraries carry, endanger.
“Because this vulnerability has not been addressed, for the safety of the community, we are unable to disclose the specific devices we tested on. However, we can disclose that it was a series of known IoT devices that used the latest firmware versions with a high chance they will be deployed through all critical infrastructure, ”said Andrea Palanca, a security researcher at Nozomi Networks.
The maintainer of uClibc-ng wrote in an open forum that they could not solve the problem at their end. Similarly, uClibc has not received an update since 2010, according to the details available on the library’s download page, as noted by Ars Technica.
However, device vendors are currently working to evaluate the problem and its impact.
Netgear has issued a statement acknowledging the impact of the vulnerability on its devices.
“Netgear is aware of the release of an industry-wide security vulnerability in the uClibc and uClibc-ng embedded C libraries that affect some products. Netgear is working to determine which products are affected. All Netgear products use source port randomization and we are not currently aware of any specific exploitation that could be used against the affected products, ”the company said.
It also ensured that it would continue to investigate the issue, and, should a solution become available in the future, evaluate whether the solution applies to the affected Netgear products.
Gadgets 360 has also reached out to vendors including Linksys and Axis to get their comments on the bug and will update this article when they respond.