Routers and connected devices including network cameras from companies including Netgear, Linksys and Axis, as well as two popular libraries using Linux distributions such as Embedded Gentoo, are found to be affected by domain name system (DNS) poisoning defects. for connected devices. The exact models affected by the vulnerability have not been revealed by the researchers who discovered its existence because the loophole has yet to be ironed out. However, vulnerable libraries have been used by a large number of vendors, including some well-known router and Internet of Things (IoT) device manufacturers.
Researchers at IT security firm Nozomi Networks said That DNS All version implementations of the libraries uClibc and uClibc-ng carry a DNS poisoning flaw that an attacker can exploit to redirect users to malicious servers and steal information shared through affected devices. The issue was first discovered last year and was exposed to over 200 vendors in January.
While uClibc has been used by vendors, including netgear, Linksysand is a part of the axis and Linux Embedded Gentoo-like distributions, uClibc-ng is a fork which is designed for OpenWRT – Popular open-source operating system for routers. This reflects the wide scope of the flaw that can affect a large number of users across the globe.
The vulnerability in both libraries enables attackers to predict a parameter called the transaction ID which is normally a unique number per request generated by the client to protect communication via DNS.
In a normal case, if the transaction ID is not available or is different from the ID generated by the client, the system discards the response. However, since the vulnerability brings transaction ID predictions, an attacker can eventually guess the number to spoof a valid DNS and redirect requests towards a fake web server or phishing website.
The researchers also noted that DNS poisoning attacks enable attackers to launch subsequent man-in-the-middle attacks that could help them steal or manipulate information transmitted by users or vulnerable libraries. May compromise carrying equipment.
“Since this vulnerability remains unchanged, to protect the community we cannot disclose the specific devices we tested on. However, we can disclose that they were a series of well-known IoT devices Those were running the latest firmware versions with a high probability. They are being deployed in all critical infrastructure,” said Andrea Palanca, a security researcher at Nozomi Networks.
The maintainers of uClibc-ng wrote in an open forum that they were not able to fix the issue on their behalf. Similarly, uClibc has not received any updates since 2010, as per the details available at download page of the library, as paid attention by Ars Technica.
However, device vendors are currently working on evaluating the issue and its impact.
netgear issued a statement To acknowledge the impact of the vulnerability on your devices.
“Netgear is aware of the disclosure of an industry-wide security vulnerability in the uClibc and uClibc-ng embedded C libraries affecting certain products. Netgear is assessing which products are affected. All Netgear products use source port randomization And we are not currently aware of any specific exploits that may be used against affected products,” the company said.
It also assured that it will continue to investigate the issue, and, if a solution becomes available in the future, will evaluate whether the fix is applicable to affected Netgear products.
Gadgets 360 has also contacted vendors including Linksys and Axis to receive their comments on the flaw and will update this article when they respond.