A flaw in the DNS (Domain Name System) component of a popular standard C library, present in a range of IoT products, could put millions of devices under attack of DNS poisoning or DNS spoofing.
Photo: Sebastian Scholz (Nuki)/Unsplash
Through these attacks, it is possible to redirect the victim to a malicious website hosted at an IP address on a server controlled by the attacker.
Both the uClibc library and OpenWRT’s uClibc-ng fork are widely used by major router vendors such as Netgear, Axis, and Linksys, as well as Linux distros suitable for embedded applications.
According to researchers at Nozomi Networks, the fix for the vulnerability is not yet available from the uClibc developer, so products from up to 200 vendors still remain at risk.
failure details
The uClibc C pattern library is geared towards embedded systems and provides many necessary features of functions and configuration modes on these devices.
By implementing DNS in uClibc, a mechanism is provided to perform DNS-related requests (queries, translating domain names to IP addresses, etc).
According to researchers at Nozomifound some quirks caused by an internal lookup function after analyzing the tracking of DNS requests made by a connected device using the uClibc library.
With further investigation, the analysts found that the transaction identification of the DNS lookup request was predictable, which under certain circumstances, it would be possible to practice DNS cache poisoning.
Image: Nozomi
Consequences of failures
If the operating system does not use source port randomization, or if even if it does, the attacker is able to force the 16-bit source port value, a specially crafted DNS response sent to devices using the compromised library there are chances of trigger DNS cache poisoning (compromise of security or data integrity of a Domain Name System).
This type of attack practically tricks the target device into pointing at an arbitrarily defined endpoint, engaging in network communications with it.
With this, the attacker would be able to redirect traffic to a server that is under control. βThe attacker could then steal or manipulate the information transmitted by users and carry out other attacks against these devices to completely compromise them. The key question here is how DNS poisoning attacks can force an authenticated response.”
Fix not yet available
Although Nozomi reported the flaw last September to Cisa, and subsequently CERT Coordination and the 200+ vendors potentially impacts, the discovery of the flaw is attributed to Dan Kaminsky in 2008, who credited Daniel J. Bernstein, creator DJBDNS, which warned about DNS vulnerability in 1999.
Despite stakeholders coordinating efforts to develop a viable fix, there is still no update for the flaw, tracked under ICS-VU-638779 and VU#473698 (no CVE yet), for now.
Therefore, until vendors apply the patch that will be implemented in the future to the new uClibc version in firmware updates, these fixes should take some time to reach end consumers.
Users of IoT devices are advised to keep an eye out for new firmware versions from vendors, installing the latest updates as they become available.
“As this vulnerability remains unresolved, for the safety of the community we cannot reveal the specific devices we tested on.”
βWe can, however, reveal that they were a range of well-known IoT devices running the latest firmware versions with a high chance of being deployed across critical infrastructure,β says Nozomi.
Via BleepingComputer
